SUSEfirewall udp broadcast

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SUSEfirewall udp broadcast

Malte Gell-3
In order to allow UDP broadcast with the SUSEfirewall, is it enough to add
e.g. BROADCAST="123,456" to the rules or is there more to add?

I ask, because in my set UDP broadcast may have been dropped, despite
using BROADCAST="123"....

thanksx
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSEfirewall udp broadcast

Andreas Stieger-2
Hello,


On 03/21/2017 09:45 AM, Malte Gell wrote:
> In order to allow UDP broadcast with the SUSEfirewall, is it enough to add
> e.g. BROADCAST="123,456" to the rules or is there more to add?
>
> I ask, because in my set UDP broadcast may have been dropped, despite
> using BROADCAST="123"....

There is no setting with this name for SuSEfirewall2. To continue
discussion, please give your actual configuration and actual
observation, thank you.

Andreas

--
Andreas Stieger <[hidden email]>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSEfirewall udp broadcast

Malte Gell-3
Am 21.03.2017 um 09:57 schrieb Andreas Stieger:
> Hello,
>
>
> On 03/21/2017 09:45 AM, Malte Gell wrote:
>> In order to allow UDP broadcast with the SUSEfirewall, is it enough to add
>> e.g. BROADCAST="123,456" to the rules or is there more to add?
>>
>> I ask, because in my set UDP broadcast may have been dropped, despite
>> using BROADCAST="123"....

> There is no setting with this name for SuSEfirewall2

From /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE

# space separated list of allowed UDP ports that accept broadcasts
BROADCAST=""


I tried to get KDE Connect to working, a KDE application on the Linux
machine and an Android app with the same name on a Android device to
connect a droid with a Linux box.
It requires to have access to UDP/TCP ports from 1714-1764

KDE Connect comes wiht a preinstalled rule set for SUSEfirewall2 which I
paste below.

This rule set seem to open these required ports, nevertheless it did not
work.

Only disabling SUSEfirewall2 made both apps connect each other. This is
why I asked if there is more to do than opening tcp/udp ports.

I disabled SUSEfirewall2, connected the apps, enabled SUSEfirewall2
again and it worked....
You don´t need to dig deep here, since this workaround made it working now.

This is the rule set for KDE Connect that comes with the app´s rpm:

# space separated list of allowed TCP ports
TCP="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726
1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740
1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754
1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"

# space separated list of allowed UDP ports
UDP="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726
1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740
1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754
1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"

# space separated list of allowed UDP ports that accept broadcasts
BROADCAST="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725
1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739
1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753
1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSEfirewall udp broadcast

Andreas Stieger-2
Hi,


On 03/21/2017 10:53 AM, Malte Gell wrote:

> Am 21.03.2017 um 09:57 schrieb Andreas Stieger:
>> On 03/21/2017 09:45 AM, Malte Gell wrote:
>>> In order to allow UDP broadcast with the SUSEfirewall, is it enough to add
>>> e.g. BROADCAST="123,456" to the rules or is there more to add?
>>>
>>> I ask, because in my set UDP broadcast may have been dropped, despite
>>> using BROADCAST="123"....
>> There is no setting with this name for SuSEfirewall2
> From /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE
>
> # space separated list of allowed UDP ports that accept broadcasts
> BROADCAST=""

So it's a service.
You'll need to first allow broadcast in general in
/etc/sysconfig/SuSEfirewall2 via FW_ALLOW_FW_BROADCAST_EXT, _INT, _DMZ.

Andreas

--
Andreas Stieger <[hidden email]>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSEfirewall udp broadcast

Malte Gell-3
Am 21.03.2017 um 11:44 schrieb Andreas Stieger:

> Hi,
>
>
> On 03/21/2017 10:53 AM, Malte Gell wrote:
>> Am 21.03.2017 um 09:57 schrieb Andreas Stieger:
>>> On 03/21/2017 09:45 AM, Malte Gell wrote:
>>>> In order to allow UDP broadcast with the SUSEfirewall, is it enough to add
>>>> e.g. BROADCAST="123,456" to the rules or is there more to add?
>>>>
>>>> I ask, because in my set UDP broadcast may have been dropped, despite
>>>> using BROADCAST="123"....
>>> There is no setting with this name for SuSEfirewall2
>> From /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE
>>
>> # space separated list of allowed UDP ports that accept broadcasts
>> BROADCAST=""
>
> So it's a service.
> You'll need to first allow broadcast in general in
> /etc/sysconfig/SuSEfirewall2 via FW_ALLOW_FW_BROADCAST_EXT, _INT, _DMZ.

Ah, okay.
Is it okay to make changes in /etc/sysconfig/SuSEfirewall2 ? Doesn´t it
get overwritten with software updates?
Thanks


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSEfirewall udp broadcast

Carlos E. R.-2
On 2017-03-22 09:09, Malte Gell wrote:

> Ah, okay.
> Is it okay to make changes in /etc/sysconfig/SuSEfirewall2 ? Doesn´t it
> get overwritten with software updates?

No.

Over the years I have only experienced problems with some distribution
upgrades. The common problem was with multiline vars, but I did not
experience it with 42.2.

So, yes, of course you can write to the file.

--
Cheers / Saludos,

                Carlos E. R.

  (from 42.2 x86_64 "Malachite" (Minas Tirith))


signature.asc (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SUSEfirewall udp broadcast

Andreas Stieger-2
In reply to this post by Malte Gell-3
Hello,

On 03/22/2017 09:09 AM, Malte Gell wrote:
> Is it okay to make changes in /etc/sysconfig/SuSEfirewall2 ?

Yes.

> Doesn´t it get overwritten with software updates?

No, normal rpm rules for edited config files apply, as do the
fillup-templates mechanisms.

Andreas

--
Andreas Stieger <[hidden email]>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSEfirewall udp broadcast

Christian
In reply to this post by Malte Gell-3
Am 21.03.2017 um 10:53 schrieb Malte Gell:
> # space separated list of allowed TCP ports
> TCP="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726
> 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740
> 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754
> 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"
to ease typing:
TCP="1714:1764"

>
> # space separated list of allowed UDP ports
> UDP="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726
> 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740
> 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754
> 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"
to ease typing:
UDP="1714:1764"

>
> # space separated list of allowed UDP ports that accept broadcasts
> BROADCAST="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725
> 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739
> 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753
> 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"
to ease typing:
BROADCAST="1714:1764"



--

Christian
------------------------------------------------------------
   https://join.worldcommunitygrid.org?recruiterId=177038
------------------------------------------------------------
           http://www.sc24.de - Sportbekleidung
------------------------------------------------------------


signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SUSEfirewall udp broadcast

Malte Gell-3
Am 22.03.2017 um 11:39 schrieb Christian:
> Am 21.03.2017 um 10:53 schrieb Malte Gell:
>> (....)
>> # space separated list of allowed UDP ports that accept broadcasts
>> BROADCAST="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725
>> 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739
>> 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753
>> 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"

> to ease typing:
> BROADCAST="1714:1764"
Yes, indeed ;-)


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]