shorewall firewall rules config

spezticle · 06-06-2010, 11:21 PM

does anyone experienced with this sort of thing see anything wrong with this?
the entries commented out, i have plans for in the future, but not now.

Code:

#ACTION			SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER	MARK	CONNLIMIT	TIME
ACCEPT          	$FW             net	icmp
SSH/ACCEPT      	net             $FW
Ping/ACCEPT     	net             $FW
SMTP/ACCEPT     	net             $FW
SMTPS/ACCEPT    	net             $FW
Submission/ACCEPT       net		$FW
IMAP/ACCEPT     	net             $FW
IMAPS/ACCEPT    	net             $FW
Web/ACCEPT      	net             $FW
ACCEPT			-		-	icmp	fragmentation-needed	#AllowICMPs
ACCEPT			-		-	icmp	time-exceeded		#AllowICMPs
#PARAM			-		-	tcp	25		#SMTP INSECURE
#PARAM			-		-	tcp	110		#pop3 INSECURE
#PARAM			-		-	tcp	143		#IMAP INSECURE
#PARAM			-		-	tcp	23		#Telnet: INSECURE
#PARAM			-		-	tcp	21		#FTP INSECURE
PARAM			-		-	tcp	80		#HTTP INSECURE
PARAM			-		-	tcp	113		#Auth
PARAM			-		-	tcp	587		#Mail message submission traffic
PARAM			-		-	tcp	995		#POP3S
PARAM			-		-	tcp	783		#Spam Assassin SPAMD
PARAM			-		-	tcp	465		#SMTPS
PARAM			-		-	tcp	993		#IMAPS
PARAM			-		-	tcp	443		#HTTPS
PARAM			-		-	tcp	3306		#MySQL
PARAM			-		-	tcp	992		#TelnetS
PARAM			-		-	tcp	6667		#iRC
#PARAM			-		-	tcp	6277		#DCC
PARAM			-		-	tcp	22		#SSH /SFTP
#PARAM			-		-	udp	1194		#OpenVPN
#PARAM			-		-	tcp	3389		#Microsoft RDP (Remote Desktop)
#PARAM			-		-	udp	33434:33524 	#UDP Traceroute
#PARAM			-		-	tcp	43		#whois
#PARAM			-		-	icmp	8		#ping
#PARAM			-		-	tcp	5500		#VNCL
#PARAM			-		-	tcp	5900:5909	#VNC
#PARAM			-		-	udp	514		#syslog UDP traffic
#PARAM			-		-	tcp	3690		#Subversion server (svnserve)
PARAM			-		-	tcp	5432		#PostgreSQL server
#PARAM			-		-	udp	5632		#PC Anywhere
#PARAM			-		-	tcp	5631		#PC Anywhere
#PARAM			-		-	tcp	636		#LDAPS
#PARAM			-		-	tcp	5223		#JabberSecure
#PARAM			-		-	tcp	9418		#GIT
#PARAM			-		-	tcp	3689		#DAAP
#PARAM			-		-	udp	3689		#DAAP
REJECT			-		-	tcp	113 		#Don't log 'auth' REJECT
DROP			-		-	udp	1900		#UPnP probes
DROP			-		-	udp	-	53	#DNS UDP replies
DROP			-		-	udp	135,445		# Drop Microsoft noise
DROP			-		-	udp	137:139		# Drop Microsoft noise
DROP			-		-	udp	1024:	137	# Drop Microsoft noise
DROP			-		-	tcp	135,139,445	# Drop Microsoft noise
DROP			-		-	udp	1900		# Drop Microsoft noise
DROP			-		-	udp	-	53	# Drop late-arriving DNS replies.
dropNotSyn								#
dropInvalid								#
dropBcast								#

spezticle · 06-07-2010, 12:13 AM

This file as said below looks wrong to me anyway, it says here to reject all source on all destination? changing from reject to allow didn't help ports being shown as open though. they all timeout, via report from http://www.whatsmyip.org/ports/security/
router 1, 2, and proxy server all forward requests properly to the server machine, 192.168.1.6
port scans with gnomes network utility report them all open. only place they're not open is from the fqdn and internet ip address.

Code:

#nano /etc/shorewall/policy
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
#				LEVEL	BURST		MASK
$FW	net	ACCEPT
net	$FW	DROP		info
net	all	DROP		info
all	all	REJECT		info

Code:

21 Timeout ftp Port 21 is used for FTP Servers. The File Transfer Protocol is a fairly obsolete and insecure way to transfer files.
22 Timeout ssh Port 22 is used for SSH, a Remote Login Protocol for Unix based machines. If you do not use SSH and Port 22 is open, this is something to look into.
25 Timeout smtp Port 25 is used for Mail Servers. If you are not running a Mail Server this port should be closed.
53 Timeout DNS Port 53 is used for Domain Name Servers.
80 Timeout http Port 80 is the port Web Servers run on. If you are not running a Web Server and your port 80 is open, this is something to look into.
110 Timeout pop3 POP3 (aka POP) is the most common protocol for checking email on a mail server. Most ISP's use pop.
137 Timeout netbios These three ports are all used for Windows File Sharing over the internet. Most Internet Service Providers block these ports for security so generally you don't have to worry about them. You couldn't open them if you tried.
138 Timeout netbios
139 Timeout netbios
143 Timeout imap IMAP is one of the two most common protocols used to check email.
443 Timeout https Port 443 is for Web Servers running over SSL. This encrypts all the data so no one can listen in and steal data.
548 Timeout afp Port 548 is used for the Apple File Sharing protocol. It allows you to connect to your Macintosh over the internet.
587 Timeout smtp submission Port 587 is the preferred port for smtp submission (client to server submission). Most systems still use 25 for this. Often 587 is used as the SSL port.
993 Timeout imap
ssl The IMAP mail protocol, used over SSL to encrypt the data transfer (and protect your password etc)
995 Timeout pop
ssl The POP mail protocol, used over SSL to encrypt the data transfer (and protect your password etc)
1433 Timeout mssql Port 1433 is used by Microsoft's SQL Server. Unless you know you are running MSSQL (Not MySQL), its very important to block this port. It is very vulnerable.
1701 Timeout l2tp Layer-2 Tunneling Protocol. Used with IPSec to create a secure form of VPN.
1723 Timeout pptp Point-to-Point Tunneling Protocol. A different form of VPN. Its not as good as IPSec, and MS's PPTP server has MAJOR flaws.
3306 Timeout MySQL Port 3306 is used by MySQL. Not to be confused with Microsoft's SQL, MySQL is a free, open source, very powerful and very secure Database Server. This site is powered in part by MySQL.
5432 Timeout PgSQL PostgreSQL. An Open source SQL server, like MySQL, but different. Some people Love PgSQL, some Love MySQL.