Firewall Time..
- Thread starter rmxs
- Start date
nikdahl
Verified User
Well, usually, using iptables or APF works well enough.
As far as ports.. well that depends entirely on what services you offer. Common ports:
110 POP3
25 SMTP
143 IMAP
21 FTP
115 SFTP
22 SSH
53 DNS
80 HTTP
443 SSL/HTTPS
nobaloney
NoBaloney Internet Svcs - In Memoriam †
It's not quite that simple, and of course both iptables and APF work only if the server is running linux; they won't work on FreeBSD servers.
53 needs to be open in both directions for both TCP/IP and UDP.
21 isn't enough for FTP; you have to either have automatic opening of related ports for data connections, or have additional ports open and let proftpd know which ports you've opened.
Don't forget 2222 for DirectAdmin.
This small snippet from the KISS firewall (as amended by me) is perhaps a bit too liberal for some servers, but works fine:
Note however that it does NOT show additional ports open for FTP data, because kiss automatically opens data ports as required.
Jeff
53 needs to be open in both directions for both TCP/IP and UDP.
21 isn't enough for FTP; you have to either have automatic opening of related ports for data connections, or have additional ports open and let proftpd know which ports you've opened.
Don't forget 2222 for DirectAdmin.
This small snippet from the KISS firewall (as amended by me) is perhaps a bit too liberal for some servers, but works fine:
Code:
TCP_IN="20 21 22 25 53 80 110 123 143 443 587 2086 2087 2222 3306 6277 10000"
TCP_OUT="20 21 22 25 37 43 53 80 81 113 443 2086 2087 2222 3306 6277"
UDP_IN="53 161"
UDP_OUT="53 161"Jeff
Hi Jeff
installed Kiss and seems to be working ok expect for udp 123 ntpd, i have put in the udp_in and udp_out 123 but i get this
sendto (fd=21): Operation not permitted
i know its a firewall issue as i stop kiss it all works fine.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Did you restart your firewall after you added 123 to udp in and out?
I don't use ntpd; I use an ntp program which I run hourly. It works fine with my firewall as above. Perhaps ntpd requires other ports open as well; I'm not sure.
Jeff
I don't use ntpd; I use an ntp program which I run hourly. It works fine with my firewall as above. Perhaps ntpd requires other ports open as well; I'm not sure.
Jeff
Yes restarted firewall, i think your correct in saying ntpd requires other ports open, now to figure out which ones.
Thanks
Jeff
the following rules fixed my ntpd issue, now i would think that putting udp 123 in kiss would work but it dosnt, restarting kiss flushes the rules below but at least i found out this works.
iptables -A OUTPUT -p udp -s [server ip] --sport 123 -d 0/0 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 123 -d [server ip] --dport 123 -m state --state ESTABLISHED -j ACCEPT
nobaloney
NoBaloney Internet Svcs - In Memoriam †
In KISS did you attempt to open the ports, in both directions, as UDP ports? That's what your manual rules do.
Jeff
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
After you did that did you restart KISS?
You might want to try this:
To see what the lines look like as added by KISS.
Jeff
You might want to try this:
Code:
# kiss stop
# kiss start | grep 123Jeff
DA-KISS Firewall - Stopped!
[root@cp ~]# kiss start |grep 123
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spts:1024:65535 dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spts:1024:65535 dpt:123
nobaloney
NoBaloney Internet Svcs - In Memoriam †
And what additional is added when you add the lines manually as indicated in your previous post?
Jeff
Jeff
Chain INPUT (policy DROP)
ACCEPT udp -- anywhere <hostname> udp spt:ntp dpt:ntp state ESTABLISHE
Chain OUTPUT (policy DROP)
ACCEPT udp -- <hostname> anywhere udp spt:ntp dpt:ntp state NEW,ESTABLISHED
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Are you actually running on FreeBSD? Or is that just your login name?
I'm not sure about the difference, but of course there's no reason to not add those lines to your KISS file if you need them.
Jeff
I'm not sure about the difference, but of course there's no reason to not add those lines to your KISS file if you need them.
Jeff
I used to run freebsd5.4, now moved to centos 5.2 for last 3 weeks
I dont think i can change the login name.
I will add them to the bottom of the kiss file.
Thanks for the help
nobaloney
NoBaloney Internet Svcs - In Memoriam †
I think I can
. If you'd like, send me a private message from FreeBsd5, letting me know what you'd like it changed to. And send me your email address so I can notify you once I've made the change.Less confusing that way, when you're writing about software only available for Linux.
Thinking about, position may be important; the right place may not be at the bottom of the file. I haven't studied iptables in a while.
Jeff
Thanks JeffI think I can
Less confusing that way, when you're writing about software only available for Linux.
Thinking about, position may be important; the right place may not be at the bottom of the file. I haven't studied iptables in a while.
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Why, daveyw? what are it's advantage that we should spend hours making changes to many servers that are already well protected? You may have a good reason; enquiring minds want to know .
Also, by everybody do you mean FreeBSD users as well? If so, have you a copy that works under FreeBSD?
Jeff
.Also, by everybody do you mean FreeBSD users as well? If so, have you a copy that works under FreeBSD?
Jeff
littleoak
Verified User
Daveyw,
We use CSF + LFD on our own servers, but that does not mean it is recommended for everyone. We have had two experiences where updating CSF has caused CSF to block all ports in IPTABLES. Both times required an uninstallation of CSF and then a reinstallation. KISS is great for people who don't have the time or experience to deal with that.
We use CSF + LFD on our own servers, but that does not mean it is recommended for everyone. We have had two experiences where updating CSF has caused CSF to block all ports in IPTABLES. Both times required an uninstallation of CSF and then a reinstallation. KISS is great for people who don't have the time or experience to deal with that.