Bugzilla – Bug 196475
Broadcast with Firewall turned on
Last modified: 2007-11-27 13:04:21 UTC
I've found a new possibility to allow SLP Broadcast (allow broadcast replies) to be accepted by the host behind firewall. By now iptables don't support the broadcast reply at all. _The concept is rather simple, here are summarized pieces of information_: - YaST Firewall YCP Module (yast2-2.13.69) can read and write Expert Firewall Rules. These rules are defined as network,protocol,[destination-port],[source-port]. We have to think about the SLP Broadcast reply, not about the SLP broadcast itself. - SLP Broadcas sends a magic packet to the 'network' to UDP port 427. - Some computers can reply back _from_ the UDP port 427. - By now firewall drops that kind of packets by default. - Current local network can be counted for all network interfaces using the IP and Netmask. So what can we do with it? - In case of enabled (running) firewall, open a dialog with listed network interfaces or network zones and tell the user that if he wants to use the SLP feature, he will also have to permit those replies while searching. - If there are only interfaces in the EXT zone, EXT zone will be pre-selected. - If there are interfaces in EXT and any Other zone, EXT will NOT be pre-selected, pre-selected will be all other that contain at least one interface. - This per-zone browsing could be also done per-interface. - User will still be able to allow browsing in all networks he wants. - Then, when he decides to browse the network, special expert rule for all selected interfaces will be written and firewall restarted. - Then the SLP Browse command will be sent. - After it finishes, the previous firewall configuration will be renewed and firewall restarted. _Questions and answers_: Q: Does it create some hole into my firewall? A: Yes, but a very limited hole: for one UDP port, for zone you select to be open for browsing, for 'local' network. YaST doesn't do anything on its own. Just enables slp-reply for networks you select. Q: I'm so scared, can anyone hack my computer using this hole? A: Well, if you don't trust the network you are inside, why should you trust what you get as the SLP Browse Reply? And yes, there is always that small possibility that someone on the network is waiting for you to Browse the network using SLP. _How it looks like with this feature_: // the expert rule X.Y.0.0/255.255.248.0,udp,,427 // query IP X.Y.1.9.1116 > 239.255.255.253.427: UDP, length 44 // replies IP X.Y.1.55.427 > X.Y.1.9.1116: UDP, length 58 IP X.Y.1.75.427 > X.Y.1.9.1116: UDP, length 60 IP X.Y.3.2.427 > X.Y.1.9.1116: UDP, length 57 IP X.Y.1.133.427 > X.Y.1.9.1116: UDP, length 57
Ludwig, sorry for bothering you, but what do you think of this feature?
Hey, Christian, welcome to the club. What does the openSUSE comunity (you) think of this issue :)? Have you seen anything about Firewall vs. Broadcast (SLP Browsing) in opensuse mails, forums, wiki...?
(In reply to comment #2) > Hey, Christian, welcome to the club. ;-) > Have you seen anything about Firewall vs. Broadcast (SLP Browsing) in > opensuse mails, forums, wiki...? Not that I knew of - at least in suse-{linux,security} and opensuse{,-factory}. But the reason may be that SLP is (IMHO) rarely used in small environments - and in large companies the network is (hopefully ;-) trusted enough to shutdown the firewall on internal machines. And: If SLP is used, then it will be for installation in many cases - there isn't a firewall in this stage yet ;-) That said: I think your idea is very good. Why should one need to shutdown the whole firewall just to open a single port? Question: AFAIK Samba machine browsing uses broadcasts and requires the firewall to be shutdown (or Samba in the internal zone) for machine listings etc. Would the implementation of your idea also allow firewalled samba broadcasts (with the required ports open, of course)? If yes, then we found something that was asked several times already ;-)
Considering the SLP, firewall is turned 'on' by default, that's why we have to deal with it. Compared to a Windows-based network, I'd still leave it running in a bigger network (but that's always a philosophical question). SLP can be also used when searching for NTP server or for another network installation source. It's used on several places in YaST. Considering Samba, this example above was about SLP, on the other hand if anybody could describe how Samba communicates, which ports and protocols are used for what, it shouldn't be problem to adjust the expert rule for that. So the enhancement could be renamed :)
The setting you suggest doesn't open one udp port. It opens all udp ports, an attacker just has to send the packets so that they originate from port 427. So it doesn't make sense to introduce any SLP special here. You could add an option to configure "trusted ip ranges" per zone instead if you want to. e.g FW_SERVICES_ACCEPT_EXT="10.10.0.0/16". A protocol is currently required but I can make it optional.
Yes I know, but defining port 427 limits the possibility for attacker. The attacker also doesn't know when I want to browse the network, that's the other limitation (and sending tones of packets to port 427 all the time would be hopefully found by a Network Administrator). The rule could be better defined as: X.Y.0.0/255.255.248.0,udp,1025:65535,427 This rule would open only high UDP ports :) Well, there still migh be running some service on a high UDP port. That still CAN be protected :) netstat shows what is listening where :)...
Yeah, there is always a way to make it even more complicated and obscure.
Security by obscurity :) This commands prints all port numbers that are occupied by running (listening) UDP services, sorted: netstat --listening --numeric --inet --udp 2>/dev/null | sed 's/[^:]\+:\([^ \t]\+\).*/\1/' | sort --numeric-sort | uniq So a rule for opening the broadcast reply would open port ranges that don't involve ports listed above (higher than 1024, 1-1024 would stay protected). But Ludwig is right that it maybe doesn't make sense to have a firewall turned on a trusted (browsable) network, despite the fact that I always prefer having firewall running even if it makes things harder.
jsrain, visnov: The basic question is - Are we interested in any (or some) kind(s) of browsing the network with firewall turned on? Does it make sense? The solution might be i bit hacky, but there is always at least some 'possibility' how to do it. Maybe a FaTE request would help, maybe broadcast (+ accepting broadcast reply) support in iptables would be a better solution (not a hacky one).
@#8: It makes sense even on trusted network. The reason may be laptops which may contain some malware infection got when connected somewhere else. Anyway, the rules should not be that strict... @#9: accepting bcast reply seems to me to be the best solution
Jiri, could you, please, file a FATE request and mention the request number here?
Postponing after some decision is made.
*** Bug 223465 has been marked as a duplicate of this bug. ***
Possible solution for broadcast reply: --- cut --- To browse smb shares from your linux system whilst iptables is running you'll have to load the "ip_conntrack_netbios_ns" module. This allows netbios broadcasts sent from your system back through the firewall: modprobe ip_conntrack_netbios_ns To have this loaded each time iptables starts add this to /etc/sysconfig/iptables-config: IPTABLES_MODULES="ip_conntrack_netbios_ns" --- cut ---
Lukas Is comment #15 supposed to work for SLE 10 as well? I ask because this is a very common issue on SLED 10 and I tried the suggestion in comment #15 but it didn't work.
Yes, Joe, we have the same base-system for all our products based on Linux. Nevertheless this must be evaluated by the security team (particularly Lnussel).
(In reply to comment #17) > Yes, Joe, we have the same base-system for all our products based on Linux. Well, the reason I asked is because the 10.2 code is newer than SLE 10 base and since it was supposed to be working on 10.2 I just didn't know if it was something that only went into 10.2 and might go into the SLE SP1 base or some other option. And if it wasn't planned for the SP1 then I would like to get it pushed in that direction.
Actually, "Broadcast with Firewall turned on" doesn't work on any SUSE Linux, openSUSE, SLES, NLD, SLE or SLD and never worked. If you are interested in it, please, push it forward :) Thanks
OK, this seems to be WONTFIX... Anyway, the FATE request still remains.