LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firewall setup problem - newbie here, reading guides and learning. (https://www.linuxquestions.org/questions/linux-security-4/firewall-setup-problem-newbie-here-reading-guides-and-learning-4175697101/)

Linus_Newb 06-30-2021 11:41 AM
Firewall setup problem - newbie here, reading guides and learning.
 
Hello,

I was able to connect to my ubuntu server through ssh on port 369 no problem.

As soon as I begun setting up firewall with ufw command, can't connect to server again.

Here's my configuration :

<pre>sudo ufw status numbered
Status: active

To Action From
-- ------ ----
[ 1] 6000/tcp ALLOW IN Anywhere
[ 2] 123/udp ALLOW IN Anywhere
[ 3] 369/tcp ALLOW IN Anywhere
[ 4] 6000/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 123/udp (v6) ALLOW IN Anywhere (v6)
[ 6] 369/tcp (v6) ALLOW IN Anywhere (v6) </pre>


in the sshd_config

there's line
Port 369


And as soon as I disable firewall, I can log in BUT no longer on port 369 but on port 22?! ...

What is happening?!

Turbocapitalist 07-01-2021 10:05 AM
Try checking what is really in your sshd configuration to see which port it is configured to use:

Code:
sudo /usr/sbin/sshd -T | grep -Ei 'port|listen'
The -T option does an extended configuration test and reports what the SSH server is actually deploying. See "man sshd"

Then you can double check with netstat and review the output to verify what sshd is actually listening. See "man netstat"

Code:
sudo netstat -lnpt | sed -n '1,2p; /sshd/p'
It should be the same as what you have in the configuration file. If not, you may have to have the SSH server reload its configuration.

Then if there is a mismatch between what the SSH server is using and what UFW is told to let in, one of those will have to be adjusted.

Trihexagonal 07-01-2021 11:12 AM
Quote:
Originally Posted by Linus_Newb (Post 6262709)
Here's my configuration :

<pre>sudo ufw status numbered
Status: active

To Action From
-- ------ ----
[ 1] 6000/tcp ALLOW IN Anywhere
[ 2] 123/udp ALLOW IN Anywhere
[ 3] 369/tcp ALLOW IN Anywhere
[ 4] 6000/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 123/udp (v6) ALLOW IN Anywhere (v6)
[ 6] 369/tcp (v6) ALLOW IN Anywhere (v6) </pre>

What is happening?!
Looks like you're messing up to me. I'm not sure what you intended to do.

That's pretty nice of you to leave X-windows port TCP 6000 open like that. I'm sure somebody will make use of it.

Not to mention NTP. I'm pretty sure it uses TCP and UDP ports 123.


I've got a Kali box and use ufw on it, but it's busy ATM.

All you show is a little piece of not much of anything so I don't know what rules you're using.
However, these two rules at the top are supposed to go in there, the rest is how you make rules for ufw.
On Linux, just so you know I know you're using Linux:
Code:
ufw default deny incoming
ufw default allow outgoing

###Single port rules like this command will block known ports, TCP 22 in this case:
ufw block ssh

###Block ranges like this:
ufw block 6000:6010/tcp
ufw block 6000:6010/udp

###ABlock specific IP#'s like this
ufw block from 123.456.789.101
Here's the pf ruleset I use on my FreeBSD boxen:
Code:
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
That will work an an OpenBSD box with a change in syntax of one word in the egress rule, out to egress (of course).


Here's what it looks like when it's at work on the FreeBSD box I'm using now:
Code:
root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.24 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state


All times are GMT -5. The time now is 08:54 AM.