Hi. Pulling my hair out after 3 days of debugging:
I have debian linux server running. Am running shorewall as stand-alone server. I was able to implment port knocking, secure my ssh port, etc.

Seems to work great, except when I ran tests from Tenable NeWT Security Scanner on one of my PCs, I continue to see 3 ports open that I can't explain:
ftp port 21/tcp
smtp port 25/tcp
pop3 port 110/tcp

I have no processes using those ports - output of netstat -natu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN
tcp 0 0 192.1.2.15:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.1.2.15:1980 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:32782 127.0.0.1:9999 ESTABLISHED
tcp 0 232 192.1.2.15:22 192.1.2.195:4705 ESTABLISHED
tcp 0 0 127.0.0.1:9999 127.0.0.1:32782 ESTABLISHED

I will go thru them:
9999 is a zoe server (used in zope/plone websites), on my internal local machine.
80 is my pound server dishing out the webpages (see below)
8081 is internal local machine again, a zeo client taking stuff from 9999 and sending it out to previous pound on an exposed port 80
22 is my ssh (I secure thsi using a port knocking scheme)
1980 is webdav, part of the zope system

So I understand what is listening and using the ports, but why would this port scanner show those 3 open? I even downloaded GFI LANGuard and got same results.

My /etc/shorewall/rules file is as follows (at its end):
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT fw net icmp
DROP net fw tcp ftp
DROP net fw tcp 25
DROP net fw tcp 110
AllowWeb net fw
SSHKnock:info net fw tcp 22,6698,6699,6700
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


I even tried REJECT instead of the DROP for those three... Any help woudl be appreciated.

BTW, my IP's listed above are all in my LAN so are not realworld :-)

I am really perplexed, but have one partial thoery. I know I have used apt-get and installed or updated parts of my system - could it be that the port "remembers" somehow that ftp was used from the "inside" to download stuff from the outside. I want that to be enabled, just want to keep people from getting to the port from the outside.

SMTP may also be used by zope/plone to get mail SENT out from the website. It never gets email sent in, so got rid of all the email stuff from my system - or so I believe. I also have never implmented or configured anything involving pop3 on this box. This was form a clean install.

What's in your /etc/shorewall/policy file? If you comment out the DROP entries (DROP net fw tcp ftp
DROP net fw tcp 25
DROP net fw tcp 110) what happens then?

My /etc/shorewall/policy just has the following at the end:


#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


I don't think I changed anything from the defaults when I installed it. As far as the DROP statements, I added that in and have also removed them - they have no effect when I run the port scans.


This is what I get when I run the NeWT Security Scanner - and basically the same when I run the GFI LanGuard scanner:

smtp (25/tcp)
Port is open
Plugin ID : 11219


ftp (21/tcp)
Port is open
Plugin ID : 11219


pop3 (110/tcp)
Port is open
Plugin ID : 11219


http (80/tcp)
Port is open
Plugin ID : 11219


The 80 makes sense, but the others do not.

Try running shields up https://www.grc.com/x/ne.dll?bh0bkyd2 and see what ports are open