Hello,
Can someone point me to good firewall and tell me what is the most common ports that i must have closed or open for in-out traffic without my server have problem?
TCP_IN="20 21 22 25 53 80 110 123 143 443 587 2086 2087 2222 3306 6277 10000"
TCP_OUT="20 21 22 25 37 43 53 80 81 113 443 2086 2087 2222 3306 6277"
UDP_IN="53 161"
UDP_OUT="53 161"
It's not quite that simple, and of course both iptables and APF work only if the server is running linux; they won't work on FreeBSD servers.
53 needs to be open in both directions for both TCP/IP and UDP.
21 isn't enough for FTP; you have to either have automatic opening of related ports for data connections, or have additional ports open and let proftpd know which ports you've opened.
Don't forget 2222 for DirectAdmin.
This small snippet from the KISS firewall (as amended by me) is perhaps a bit too liberal for some servers, but works fine:
Note however that it does NOT show additional ports open for FTP data, because kiss automatically opens data ports as required.Code:TCP_IN="20 21 22 25 53 80 110 123 143 443 587 2086 2087 2222 3306 6277 10000" TCP_OUT="20 21 22 25 37 43 53 80 81 113 443 2086 2087 2222 3306 6277" UDP_IN="53 161" UDP_OUT="53 161"
Jeff
Did you restart your firewall after you added 123 to udp in and out?
I don't use ntpd; I use an ntp program which I run hourly. It works fine with my firewall as above. Perhaps ntpd requires other ports open as well; I'm not sure.
Jeff
Did you restart your firewall after you added 123 to udp in and out?
I don't use ntpd; I use an ntp program which I run hourly. It works fine with my firewall as above. Perhaps ntpd requires other ports open as well; I'm not sure.
Jeff
In KISS did you attempt to open the ports, in both directions, as UDP ports? That's what your manual rules do.
Jeff
# kiss stop
# kiss start | grep 123
After you did that did you restart KISS?
You might want to try this:
To see what the lines look like as added by KISS.Code:# kiss stop # kiss start | grep 123
Jeff
Chain INPUT (policy DROP)And what additional is added when you add the lines manually as indicated in your previous post?
Jeff
Are you actually running on FreeBSD? Or is that just your login name?
I'm not sure about the difference, but of course there's no reason to not add those lines to your KISS file if you need them.
Jeff
I think I can . If you'd like, send me a private message from FreeBsd5, letting me know what you'd like it changed to. And send me your email address so I can notify you once I've made the change.I dont think i can change the login name.
Thinking about, position may be important; the right place may not be at the bottom of the file. I haven't studied iptables in a while.I will add them to the bottom of the kiss file.
Thanks JeffI think I can . If you'd like, send me a private message from FreeBsd5, letting me know what you'd like it changed to. And send me your email address so I can notify you once I've made the change.
Less confusing that way, when you're writing about software only available for Linux.
Thinking about, position may be important; the right place may not be at the bottom of the file. I haven't studied iptables in a while.
Jeff