No firewall and X server listening globally

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

No firewall and X server listening globally

Uwe Geuder
Hi!

I have installed several OpenSUSE machines during recent years and I
believe they always enabled the firewall by default. At least I don't
remember having done anything special and the firewall was active. Some
installations were done from promotion DVDs, others from some image
downloaded, not sure which variant.

My last installation I made from a 13.2 KDE Live image. To my surprise
the firewall is not activated. Again I'm quite sure I made no
non-default choices in that direction and I don't remember having seen a
selection in the installer where I could have explicitly chosen to
enable it.

By default the X server does not listen to TCP port at all. That's fine,
especially if there is no firewall. But if I start am additional session
(KDE menu "Switch user") the second X server is listing to TCP port 6001
globally.

$ ps -fp $(pgrep -d , Xorg)
UID        PID  PPID  C STIME TTY          TIME CMD
root      1543  1499  0 14:25 tty7     00:00:09 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -seat seat0 -auth /var/lib/kdm/AuthFiles/A:0-kwjL1b
root      2387  1499  0 14:27 tty8     00:00:01 /usr/bin/Xorg -br :1 vt8 -seat seat0 -auth /var/lib/kdm/AuthFiles/A:1-m4GpQa

$ sudo /usr/sbin/ss -ltpn | grep Xorg
LISTEN     0      128                       *:6001                     *:*      users:(("Xorg",pid=2387,fd=3))
LISTEN     0      128                      :::6001                    :::*      users:(("Xorg",pid=2387,fd=1))

Questions: Does everything I see here work as it should?

1.) Firewall not active by default
2.) 2nd X server listening to TCP


Regards,

Uwe


P.S. Apologies for being a bit vague on the installation. But I don't
have spare machines and installation takes quite long, especially when
having to do it on a small virtual machine. So I take the freedeom to
violate the rule of investigate first and ask stupid questions
on the list thereafter...


Uwe Geuder
Nomovok Ltd.
Tampere, Finland
[hidden email] (bot test: humans correct 1 obvious spelling error)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: No firewall and X server listening globally

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



El 2015-04-29 a las 15:47 +0300, Uwe Geuder escribió:

> My last installation I made from a 13.2 KDE Live image. To my surprise
> the firewall is not activated.

An issue has come up to light recently. If the network insterface is not
up, the firewall configuration fails and it doesn't start. People do not
even notice the firewall is down.

View this thread: <http://forums.opensuse.org/showthread.php?t=507151>

- --
Cheers
        Carlos E. R.

        (from 13.1 x86_64 "Bottle" (Minas Tirith))

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlVJf7EACgkQja8UbcUWM1yyEgD/arGbVF+kfvuIYc6jhQiCaKH7
DdMf620ZiwZbWVol9oIA/138WnCqGpH1rcXS1sWwd8ZFVetFcddJiPskc52Qckha
=zX87
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: No firewall and X server listening globally

Bugzilla from admin@different-perspectives.com
is that firewall up when installed or when the machine is rebooted?

I've had 2 installs recently (1 clean, 1 an upgrade), both double NIC
machines, where the install process failed to configure any working NICs.

I'll check their firewalls :-(

David

On Wednesday 06 May 2015 04:42:50 Carlos E. R. wrote:

> El 2015-04-29 a las 15:47 +0300, Uwe Geuder escribió:
> > My last installation I made from a 13.2 KDE Live image. To my surprise
> > the firewall is not activated.
>
> An issue has come up to light recently. If the network insterface is not
> up, the firewall configuration fails and it doesn't start. People do not
> even notice the firewall is down.
>
> View this thread: <http://forums.opensuse.org/showthread.php?t=507151>
>
> --
> Cheers
>         Carlos E. R.
>
>         (from 13.1 x86_64 "Bottle" (Minas Tirith))
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: No firewall and X server listening globally

Johannes Segitz
In reply to this post by Uwe Geuder
On Wed, Apr 29, 2015 at 03:47:07PM +0300, Uwe Geuder wrote:
> I have installed several OpenSUSE machines during recent years and I
> believe they always enabled the firewall by default.

The are in the default install, but apparently not on the live CDs. I'm
currently working on enabling the firewall by default. For now the firewall
has to be enabled manually either before installing or after the install.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE LINUX GmbH        Maxfeldstraße 5            90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: No firewall and X server listening globally

jsegitz
Thank you for your report

On Wed, May 06, 2015 at 12:06:05PM +0200, Johannes Segitz wrote:
> On Wed, Apr 29, 2015 at 03:47:07PM +0300, Uwe Geuder wrote:
> > I have installed several OpenSUSE machines during recent years and I
> > believe they always enabled the firewall by default.
>
> The are in the default install, but apparently not on the live CDs. I'm
> currently working on enabling the firewall by default. For now the firewall
> has to be enabled manually either before installing or after the install.

For the live DVDs (at least for KDE) the firewall is not active, so if you
install it uses this configuration. Changing the existing live DVDs is
problematic (and there is already a warning message "Some alternative media
(eg. live and rescue systems) are also available, although they are less
tested and recommended for only limited use. ").

I submitted a fix so that the next version will enable the firewall by
default and also submitted changed release notes, that warn of this problem
and show how to enable the firewall.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu,
Graham Norton, HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment