LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-06-2010, 11:21 PM   #1
spezticle
Member
 
Registered: May 2010
Distribution: Ubuntu 10.04
Posts: 30

Rep: Reputation: 0
shorewall firewall rules config


does anyone experienced with this sort of thing see anything wrong with this?
the entries commented out, i have plans for in the future, but not now.

Code:
#ACTION			SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER	MARK	CONNLIMIT	TIME
ACCEPT          	$FW             net	icmp
SSH/ACCEPT      	net             $FW
Ping/ACCEPT     	net             $FW
SMTP/ACCEPT     	net             $FW
SMTPS/ACCEPT    	net             $FW
Submission/ACCEPT       net		$FW
IMAP/ACCEPT     	net             $FW
IMAPS/ACCEPT    	net             $FW
Web/ACCEPT      	net             $FW
ACCEPT			-		-	icmp	fragmentation-needed	#AllowICMPs
ACCEPT			-		-	icmp	time-exceeded		#AllowICMPs
#PARAM			-		-	tcp	25		#SMTP INSECURE
#PARAM			-		-	tcp	110		#pop3 INSECURE
#PARAM			-		-	tcp	143		#IMAP INSECURE
#PARAM			-		-	tcp	23		#Telnet: INSECURE
#PARAM			-		-	tcp	21		#FTP INSECURE
PARAM			-		-	tcp	80		#HTTP INSECURE
PARAM			-		-	tcp	113		#Auth
PARAM			-		-	tcp	587		#Mail message submission traffic
PARAM			-		-	tcp	995		#POP3S
PARAM			-		-	tcp	783		#Spam Assassin SPAMD
PARAM			-		-	tcp	465		#SMTPS
PARAM			-		-	tcp	993		#IMAPS
PARAM			-		-	tcp	443		#HTTPS
PARAM			-		-	tcp	3306		#MySQL
PARAM			-		-	tcp	992		#TelnetS
PARAM			-		-	tcp	6667		#iRC
#PARAM			-		-	tcp	6277		#DCC
PARAM			-		-	tcp	22		#SSH /SFTP
#PARAM			-		-	udp	1194		#OpenVPN
#PARAM			-		-	tcp	3389		#Microsoft RDP (Remote Desktop)
#PARAM			-		-	udp	33434:33524 	#UDP Traceroute
#PARAM			-		-	tcp	43		#whois
#PARAM			-		-	icmp	8		#ping
#PARAM			-		-	tcp	5500		#VNCL
#PARAM			-		-	tcp	5900:5909	#VNC
#PARAM			-		-	udp	514		#syslog UDP traffic
#PARAM			-		-	tcp	3690		#Subversion server (svnserve)
PARAM			-		-	tcp	5432		#PostgreSQL server
#PARAM			-		-	udp	5632		#PC Anywhere
#PARAM			-		-	tcp	5631		#PC Anywhere
#PARAM			-		-	tcp	636		#LDAPS
#PARAM			-		-	tcp	5223		#JabberSecure
#PARAM			-		-	tcp	9418		#GIT
#PARAM			-		-	tcp	3689		#DAAP
#PARAM			-		-	udp	3689		#DAAP
REJECT			-		-	tcp	113 		#Don't log 'auth' REJECT
DROP			-		-	udp	1900		#UPnP probes
DROP			-		-	udp	-	53	#DNS UDP replies
DROP			-		-	udp	135,445		# Drop Microsoft noise
DROP			-		-	udp	137:139		# Drop Microsoft noise
DROP			-		-	udp	1024:	137	# Drop Microsoft noise
DROP			-		-	tcp	135,139,445	# Drop Microsoft noise
DROP			-		-	udp	1900		# Drop Microsoft noise
DROP			-		-	udp	-	53	# Drop late-arriving DNS replies.
dropNotSyn								#
dropInvalid								#
dropBcast								#
 
Old 06-07-2010, 12:13 AM   #2
spezticle
Member
 
Registered: May 2010
Distribution: Ubuntu 10.04
Posts: 30

Original Poster
Rep: Reputation: 0
This file as said below looks wrong to me anyway, it says here to reject all source on all destination? changing from reject to allow didn't help ports being shown as open though. they all timeout, via report from http://www.whatsmyip.org/ports/security/
router 1, 2, and proxy server all forward requests properly to the server machine, 192.168.1.6
port scans with gnomes network utility report them all open. only place they're not open is from the fqdn and internet ip address.
Code:
#nano /etc/shorewall/policy
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
#				LEVEL	BURST		MASK
$FW	net	ACCEPT
net	$FW	DROP		info
net	all	DROP		info
all	all	REJECT		info
Code:
21  	Timeout  	ftp  	Port 21 is used for FTP Servers. The File Transfer Protocol is a fairly obsolete and insecure way to transfer files.
22 	Timeout 	ssh 	Port 22 is used for SSH, a Remote Login Protocol for Unix based machines. If you do not use SSH and Port 22 is open, this is something to look into.
25 	Timeout 	smtp 	Port 25 is used for Mail Servers. If you are not running a Mail Server this port should be closed.
53 	Timeout 	DNS 	Port 53 is used for Domain Name Servers.
80 	Timeout 	http 	Port 80 is the port Web Servers run on. If you are not running a Web Server and your port 80 is open, this is something to look into.
110 	Timeout 	pop3 	POP3 (aka POP) is the most common protocol for checking email on a mail server. Most ISP's use pop.
137 	Timeout 	netbios 	These three ports are all used for Windows File Sharing over the internet. Most Internet Service Providers block these ports for security so generally you don't have to worry about them. You couldn't open them if you tried.
138 	Timeout 	netbios
139 	Timeout 	netbios
143 	Timeout 	imap 	IMAP is one of the two most common protocols used to check email.
443 	Timeout 	https 	Port 443 is for Web Servers running over SSL. This encrypts all the data so no one can listen in and steal data.
548 	Timeout 	afp 	Port 548 is used for the Apple File Sharing protocol. It allows you to connect to your Macintosh over the internet.
587 	Timeout 	smtp submission 	Port 587 is the preferred port for smtp submission (client to server submission). Most systems still use 25 for this. Often 587 is used as the SSL port.
993 	Timeout 	imap
ssl 	The IMAP mail protocol, used over SSL to encrypt the data transfer (and protect your password etc)
995 	Timeout 	pop
ssl 	The POP mail protocol, used over SSL to encrypt the data transfer (and protect your password etc)
1433 	Timeout 	mssql 	Port 1433 is used by Microsoft's SQL Server. Unless you know you are running MSSQL (Not MySQL), its very important to block this port. It is very vulnerable.
1701 	Timeout 	l2tp 	Layer-2 Tunneling Protocol. Used with IPSec to create a secure form of VPN.
1723 	Timeout 	pptp 	Point-to-Point Tunneling Protocol. A different form of VPN. Its not as good as IPSec, and MS's PPTP server has MAJOR flaws.
3306 	Timeout 	MySQL 	Port 3306 is used by MySQL. Not to be confused with Microsoft's SQL, MySQL is a free, open source, very powerful and very secure Database Server. This site is powered in part by MySQL.
5432 	Timeout 	PgSQL 	PostgreSQL. An Open source SQL server, like MySQL, but different. Some people Love PgSQL, some Love MySQL.
 
  


Reply

Tags
firewall, rules, shorewall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
shorewall rules jindalarpan Linux - Software 1 04-13-2008 05:27 PM
rules.drakx in /etc/shorewall ferrel Mandriva 1 06-20-2007 11:00 PM
shorewall config question with /etc/shorewall/rules peter72 Linux - Networking 3 01-01-2007 09:33 PM
Shorewall firewall rules/policies to accomodate samba and Apache Clived Mandriva 2 01-29-2006 08:27 PM
Shorewall policies + rules richlawson Linux - Networking 2 06-29-2003 11:35 AM


All times are GMT -5. The time now is 10:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration