Re: firewall configuring
Am 14.11.2012 18:01, schrieb lee: >> ftp is ALWAYS using random ports >> >> active: on the client side >> passive: on the server side >> >> so on one side there must be a firewall rule or connection >> tracking for sure depending on the ftp-mode, how the tracking >> is made is a implementation detail > > There isn't anything random about these ports, see > http://en.wikipedia.org/wiki/File_Transfer_Protocol surely pure-ftpd: PassivePortRange 1 10100 you get a random port for the data-connection which is specified by the server and without configuration a port between 1025 and 65535 as for any other ftp-server so the client get over the control-connection to which dataport he has to connect, this port must be open for the client on the server side for active ftp it is the opposite: the client is choosing a random port, notfies the server which port and the server makes a new data connection in both cases the firewall must open this connection no matter how it is implemented, but it must do this >> nf_conntrack: automatic helper assignment is deprecated and it will be >> removed soon. Use the iptables CT target to >> attach helpers instead. > > I don't know what you mean --- I haven't looked into it since a very > long time, and when I did, there was an extra kernel module to handle > ftp connections in combination with some firewall rules to allow traffic > on the data ports. There wasn't anything random about it. So what has > changed? yes, and nf_conntrack FTP opens dynamically the data-connection but it is a part of iptables/firewall so it is random and the firewall has to know about it signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Tim writes: > Allegedly, on or about 14 November 2012, lee sent: >> They are saying on the web page that it has the advantages of not >> unloading the modules and being able to change FW configuration >> without interrupting connections and while keeping the firewall up. >> I've never had problems with that on Debian > > Nor I with Fedora. I used to change rules while testing things, I don't > recall connections being broken when I did that. I haven't done any testing about it --- connections were not interrupted on Debian, and I can't tell for Fedora yet. >> A constantly running daemon that can quietly modify firewall rules >> looks like a nice tool for creating security problems. > > Especially if controlled by applications, rather than the user. It's > for reasons like that, that I always disallowed UPnP in modem/routers. > Allowing applications, especially on Windows, to just do what they > wanted with the firewall negated the concept of having one. Mmhm --- and with firewall rules, it likely won't show up unless you actually check and monitor something like the output of 'iptables --list'. So upgrading the firewalling on Fedora will mean downgrading on security, which is counter productive. >> FTP isn't using random ports. It's using two ports, and firewalls >> need to be set up correctly to deal with that. There's a kernel >> module for this very purpose. > > There's two modes of FTP, active and passive. With one of them, the > traditional method of using FTP, the second connection was on a random > port. Sometimes you have to use a server that only works that way, and > it can be a right pain. Some routers have trouble with it ... > I haven't used Shorewall, so I can't comment on its behaviour. With shorewall, I've only been running an ftp server over ssh, and it just worked with opening the appropriate ssh port. I couldn't find out what actually happened in the background and was worried if the connection on one of the ports won't be encrypted or if everything goes over the same port in that case ... -- Fedora 17 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Reindl Harald writes: > Am 14.11.2012 12:24, schrieb lee: >> FTP isn't using random ports. It's using two ports, and firewalls need >> to be set up correctly to deal with that. There's a kernel module for >> this very purpose. > > ftp is ALWAYS using random ports > > active: on the client side > passive: on the server side > > so on one side there must be a firewall rule or connection > tracking for sure depending on the ftp-mode, how the tracking > is made is a implementation detail There isn't anything random about these ports, see http://en.wikipedia.org/wiki/File_Transfer_Protocol > _ > > and if you read dmesg-messages with recent kernels you will see > that this is in fact a topic in teh near future > > nf_conntrack: automatic helper assignment is deprecated and it will be > removed soon. Use the iptables CT target to > attach helpers instead. I don't know what you mean --- I haven't looked into it since a very long time, and when I did, there was an extra kernel module to handle ftp connections in combination with some firewall rules to allow traffic on the data ports. There wasn't anything random about it. So what has changed? -- Fedora 17 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Allegedly, on or about 14 November 2012, lee sent: > They are saying on the web page that it has the advantages of not > unloading the modules and being able to change FW configuration > without interrupting connections and while keeping the firewall up. > I've never had problems with that on Debian Nor I with Fedora. I used to change rules while testing things, I don't recall connections being broken when I did that. > A constantly running daemon that can quietly modify firewall rules > looks like a nice tool for creating security problems. Especially if controlled by applications, rather than the user. It's for reasons like that, that I always disallowed UPnP in modem/routers. Allowing applications, especially on Windows, to just do what they wanted with the firewall negated the concept of having one. > FTP isn't using random ports. It's using two ports, and firewalls > need to be set up correctly to deal with that. There's a kernel > module for this very purpose. There's two modes of FTP, active and passive. With one of them, the traditional method of using FTP, the second connection was on a random port. Sometimes you have to use a server that only works that way, and it can be a right pain. I haven't used Shorewall, so I can't comment on its behaviour. -- [tim@localhost ~]$ uname -rsvp Linux 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov 5 21:59:35 UTC 2012 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Am 14.11.2012 12:24, schrieb lee: > FTP isn't using random ports. It's using two ports, and firewalls need > to be set up correctly to deal with that. There's a kernel module for > this very purpose. ftp is ALWAYS using random ports active: on the client side passive: on the server side so on one side there must be a firewall rule or connection tracking for sure depending on the ftp-mode, how the tracking is made is a implementation detail _ and if you read dmesg-messages with recent kernels you will see that this is in fact a topic in teh near future nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead. signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Tim writes: > Allegedly, on or about 13 November 2012, lee sent: >> Great, that is going to conflict with my shorewall configuration when I >> update. And running another daemon process all the time for something >> that rarely ever changes once it's set up? Adding even more >> dependencies with networkmanager? Involving d-bus which is something >> nobody understands? That just sucks. > > I tend to agree. > > However, I can see one need for a daemon, though wonder whether it does > anything about it: Things that actually require dynamic firewall > configuration, such as the random port used by FTP, UPnP thingoes, et > cetera. If it doesn't actually provide a solution to problems like > them, then what's the point? They are saying on the web page that it has the advantages of not unloading the modules and being able to change FW configuration without interrupting connections and while keeping the firewall up. I've never had problems with that on Debian --- they are right though in that restarting shorewall would take the firewall down during the restart. I've never had issues with interrupted connections because of that. These are particularities of the implementation, though. There's no need to unload the modules, so something on Fedora must be intentionally unloading them. That the firewall is taken down rather than acutally modified when shorewall is stopped is shorewalls implementation. A constantly running daemon that can quietly modify firewall rules looks like a nice tool for creating security problems. I'd vote for making shorewall the default firewall in Fedora instead. Where can we make suggestions like that? FTP isn't using random ports. It's using two ports, and firewalls need to be set up correctly to deal with that. There's a kernel module for this very purpose. When starting shorewall, I'm getting messages like 'xt_CT: No such helper "ftp-0"' in /var/log/messages. I haven't looked into that yet --- any idea what they are supposed to tell me and what to do about it? -- Fedora 17 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Allegedly, on or about 13 November 2012, lee sent: > Great, that is going to conflict with my shorewall configuration when I > update. And running another daemon process all the time for something > that rarely ever changes once it's set up? Adding even more > dependencies with networkmanager? Involving d-bus which is something > nobody understands? That just sucks. I tend to agree. However, I can see one need for a daemon, though wonder whether it does anything about it: Things that actually require dynamic firewall configuration, such as the random port used by FTP, UPnP thingoes, et cetera. If it doesn't actually provide a solution to problems like them, then what's the point? -- [tim@localhost ~]$ uname -rsvp Linux 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov 5 21:59:35 UTC 2012 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
On Tue, 13 Nov 2012 11:00:39 -0800 Rick Stevens wrote: > On 11/13/2012 10:30 AM, Frank Murphy issued this missive: > > On Tue, 13 Nov 2012 17:47:43 +0100 > > Gabriele Trombini wrote: > > > > > >> Try: > >> $ firewall-config > >> > > > > That is one of the firewalld pkgs, > > not available in F17, F18+ > > firewalld is available for F17: > > Available Packages > firewalld.noarch 0.2.5-1.fc17 >fedora > I said one of the firewalld pkgs. There's 3 of them. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Matthew Miller writes: > On Wed, Nov 14, 2012 at 02:47:33AM +1030, Tim wrote: >> Why isn't there a thingy for configuring the firewall in the "system >> settings" collection of configurators for Fedora 17? > > I'm not sure about F17, but there's a new tool called firewalld, which > includes a new GUI, as a feature for F18. See > > https://fedoraproject.org/wiki/Features/firewalld-default > > I think this addresses the rest of your rant. :) Great, that is going to conflict with my shorewall configuration when I update. And running another daemon process all the time for something that rarely ever changes once it's set up? Adding even more dependencies with networkmanager? Involving d-bus which is something nobody understands? That just sucks. I still haven't even found a way to disable the DVD-drive polling. Where is the configuration for that? Or what makes the light flash all the time? -- Fedora 17 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Tim writes: > Allegedly, on or about 13 November 2012, Steven Stern sent: >> Gosh, is it so hard to type "system-config-firewall"? I'm not sure >> about Gnome, but on XFCE, it's APPS -> Administration -> Firewall. > > The point being that new users will not know about it. There's no > mention of "firewall" in any of the control options in the control > configurator. There is no-longer a menu. And if you do switch to the > fallback desktop option that does give you a menu, there's nothing that > mentions a firewall in there, either. > > It's, now, most definitely a GUI system. Users are expected not to have > to resort to the command line. Why the hell isn't such a basic thing in > the system preferences? That is the problem, with Fedora you don't start with a minimal install as it should be, and the documentation is insufficient. Nowadays users are expected to know everything out of nothing, and forcing them into GUIs is taken as an excuse for the lack of documentation. The result is incompetence, which is encountered with GUIs that are "more intuitively" to use. People need to realize that this is the wrong way to go. > Not to mention that the error messages in the printer configurator > aren't of any help, either: Firewalld isn't running (what the hell is > that?). It says mdns needs to be allowed in the firewall. Really? > Why would I want that allowed if I'm not using avahi? It's wrong advice > to blandly say I must allow that. And it says Samba must be allowed. > Again, unless I'm actually using Samba, and the printing aspects of it, > it's wrong to advise that the firewall must allow that through. > > Geez, but it's badly handled. Perhaps they refer to the outgoing traffic through the firewall without making that sufficiently clear, trying to get away with insufficient documentation ... -- Fedora 17 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
On 11/13/2012 10:30 AM, Frank Murphy issued this missive: On Tue, 13 Nov 2012 17:47:43 +0100 Gabriele Trombini wrote: Try: $ firewall-config That is one of the firewalld pkgs, not available in F17, F18+ firewalld is available for F17: Available Packages firewalld.noarch 0.2.5-1.fc17 fedora -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - To err is human, to moo bovine. - -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Il giorno 13/nov/2012, alle ore 19:27, Steven Stern ha scritto: > yum search firewall-config > Warning: No matches found for: firewall-config > No Matches found > > > -- > -- Steve > -- Yes you're right, i'm on F18. I thought it was also on f17. Cheers Gabri -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
On Tue, 13 Nov 2012 17:47:43 +0100 Gabriele Trombini wrote: > Try: > $ firewall-config > That is one of the firewalld pkgs, not available in F17, F18+ -- "The greatest warriors are the ones who fight for peace." -- Holly Near -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
On 11/13/2012 10:47 AM, Gabriele Trombini wrote: > Il giorno mer, 14/11/2012 alle 02.47 +1030, Tim ha scritto: >> Why isn't there a thingy for configuring the firewall in the "system >> settings" collection of configurators for Fedora 17? >> > [cut] > > Try: > $ firewall-config > > Cheers. > > Gabri > yum search firewall-config Warning: No matches found for: firewall-config No Matches found -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Tim: > > Why isn't there a thingy for configuring the firewall in the "system > > settings" collection of configurators for Fedora 17? Gabriele Trombini: > Try: > $ firewall-config Nup, nothing other than firefox begins with "fire" on this system, even as the root user. Another blunder for the Gnome desktop installation. -- [tim@localhost ~]$ uname -rsvp Linux 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov 5 21:59:35 UTC 2012 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Allegedly, on or about 13 November 2012, Steven Stern sent: > Gosh, is it so hard to type "system-config-firewall"? I'm not sure > about Gnome, but on XFCE, it's APPS -> Administration -> Firewall. The point being that new users will not know about it. There's no mention of "firewall" in any of the control options in the control configurator. There is no-longer a menu. And if you do switch to the fallback desktop option that does give you a menu, there's nothing that mentions a firewall in there, either. It's, now, most definitely a GUI system. Users are expected not to have to resort to the command line. Why the hell isn't such a basic thing in the system preferences? Not to mention that the error messages in the printer configurator aren't of any help, either: Firewalld isn't running (what the hell is that?). It says mdns needs to be allowed in the firewall. Really? Why would I want that allowed if I'm not using avahi? It's wrong advice to blandly say I must allow that. And it says Samba must be allowed. Again, unless I'm actually using Samba, and the printing aspects of it, it's wrong to advise that the firewall must allow that through. Geez, but it's badly handled. -- [tim@localhost ~]$ uname -rsvp Linux 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov 5 21:59:35 UTC 2012 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
On Tue, 13 Nov 2012 10:29:18 -0600 Steven Stern wrote: > On 11/13/2012 10:17 AM, Tim wrote: > > Why isn't there a thingy for configuring the firewall in the > > "system settings" collection of configurators for Fedora 17? > > > > In older versions, system-config-firewall was in the menus, and > > readily apparent as the thing you went to, to adjust your > > firewall. But there's nothing, obvious as the way to adjust it, > > Gosh, is it so hard to type "system-config-firewall"? I'm not sure > about Gnome, but on XFCE, it's APPS -> Administration -> Firewall. > To be fair, Steven, I think Tim's annoyance is that, system-config--firewall in not default in Gno me. -- The opulence of the front office door varies inversely with the fundamental solvency of the firm. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
On Wed, 2012-11-14 at 02:47 +1030, Tim wrote: > Why isn't there a thingy for configuring the firewall in the "system > settings" collection of configurators for Fedora 17? Not sure about a gui - lokkit is the tool I use. Commandline yes, but it's a lot easier to use than editing /etc/sysconfig/iptables. -- Best Regards Peter Larsen Wise words of the day: A Linux machine! Because a 486 is a terrible thing to waste! -- Joe Sloan, j...@wintermute.ucr.edu signature.asc Description: This is a digitally signed message part -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
On 11/13/2012 10:17 AM, Tim wrote: > Why isn't there a thingy for configuring the firewall in the "system > settings" collection of configurators for Fedora 17? > > In older versions, system-config-firewall was in the menus, and readily > apparent as the thing you went to, to adjust your firewall. But there's > nothing, obvious as the way to adjust it, now. You'd have to know about > the old tool, or manually write iptables rules. But in this, modern > everything is done in the GUI, system, there's nothing showing. > > I became particularly peeved about this, when CUPS didn't find any > printers (or print servers) on my LAN, when it should. And the first > port of call, in the past, would be to open up the firewall and allow > IPP printing/serving options, as appropriate. But there being no > apparent way to the newbie to do this. > > Gnome developers may well think there's no need for users to fiddle with > their firewall, but when the printing doesn't work because the default > rules forbid it, not providing any configurator, nor even any clues, > smacks of incompetence. > Gosh, is it so hard to type "system-config-firewall"? I'm not sure about Gnome, but on XFCE, it's APPS -> Administration -> Firewall. -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
Il giorno mer, 14/11/2012 alle 02.47 +1030, Tim ha scritto: > Why isn't there a thingy for configuring the firewall in the "system > settings" collection of configurators for Fedora 17? > [cut] Try: $ firewall-config Cheers. Gabri -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: firewall configuring
On Wed, Nov 14, 2012 at 02:47:33AM +1030, Tim wrote: > Why isn't there a thingy for configuring the firewall in the "system > settings" collection of configurators for Fedora 17? I'm not sure about F17, but there's a new tool called firewalld, which includes a new GUI, as a feature for F18. See https://fedoraproject.org/wiki/Features/firewalld-default I think this addresses the rest of your rant. :) -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
firewall configuring
Why isn't there a thingy for configuring the firewall in the "system settings" collection of configurators for Fedora 17? In older versions, system-config-firewall was in the menus, and readily apparent as the thing you went to, to adjust your firewall. But there's nothing, obvious as the way to adjust it, now. You'd have to know about the old tool, or manually write iptables rules. But in this, modern everything is done in the GUI, system, there's nothing showing. I became particularly peeved about this, when CUPS didn't find any printers (or print servers) on my LAN, when it should. And the first port of call, in the past, would be to open up the firewall and allow IPP printing/serving options, as appropriate. But there being no apparent way to the newbie to do this. Gnome developers may well think there's no need for users to fiddle with their firewall, but when the printing doesn't work because the default rules forbid it, not providing any configurator, nor even any clues, smacks of incompetence. -- [tim@localhost ~]$ uname -rsvp Linux 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov 5 21:59:35 UTC 2012 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org