Hello all, I’m running Shorewall 2.2.1 on linux kernel 2.6.10 with iptables 1.2.11. I recently ran a nessus scan of my firewall from a machine outside of the firewall and the nessus report told me that there are some ports open that I did not specify to be open. The ports are 32772/udp, 123/udp, 111/tcp, 32772/udp, and 53/udp. Why are these ports open when I did NOT specify them to be open in the rules file? Nessus was even able to identify the exact version of Bind through the 53 udp port. Thank you. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 3/11/2005
Please post in plain text and configure your mailer to fold long lines at an apprporiate length. The paragraph in your post is ONE LONG LINE. On Fri, 11 Mar 2005, Kyle Peterson wrote:> > I''m running Shorewall 2.2.1 on linux kernel 2.6.10 with iptables 1.2.11. > I recently ran a nessus scan of my firewall from a machine outside of > the firewall and the nessus report told me that there are some ports > open that I did not specify to be open. The ports are 32772/udp, > 123/udp, 111/tcp, 32772/udp, and 53/udp. Why are these ports open when > I did NOT specify them to be open in the rules file? Nessus was even > able to identify the exact version of Bind through the 53 udp port.If you: a) Ensure that the conntrack table on your firewall is empty (reboot is one way). b) "shorewall reset" c) start a tcpdump on your firewall''s external interface (using the -n option or better yet, capture raw packets to a disk file using the -w option) d) Perform a Nessus scan e) Find positive responses to these "open" ports in the tcpdump output Then please forward the output of "shorewall status" as an attachment along with the tcpdump output that shows the problem. Otherwise, your "open port" report is just so much FUD. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Sorry about the HTML thing. I''m not used to having to send in plain text. Here are the steps I preformed: 1. Rebooted firewall 2. shorewall reset 3. Started tcpdump to dump to a log file. 4. Ran Nessus scan 5. Opened log file in ethereal and saved only a portion of the log. The portion I saved shows port 111 TCP as being open. I noticed it had the SYN flag set. I''m sort of new to this whole firewall thing and I am guessing that it''s normal behavior to let SYN packets through. Please take a look at the attached logfile and let me know if I have things right. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Friday, March 11, 2005 10:42 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall 2.2.1 and open ports Please post in plain text and configure your mailer to fold long lines at an apprporiate length. The paragraph in your post is ONE LONG LINE. On Fri, 11 Mar 2005, Kyle Peterson wrote:> > I''m running Shorewall 2.2.1 on linux kernel 2.6.10 with iptables 1.2.11. > I recently ran a nessus scan of my firewall from a machine outside of > the firewall and the nessus report told me that there are some ports > open that I did not specify to be open. The ports are 32772/udp, > 123/udp, 111/tcp, 32772/udp, and 53/udp. Why are these ports open when > I did NOT specify them to be open in the rules file? Nessus was even > able to identify the exact version of Bind through the 53 udp port.If you: a) Ensure that the conntrack table on your firewall is empty (reboot is one way). b) "shorewall reset" c) start a tcpdump on your firewall''s external interface (using the -n option or better yet, capture raw packets to a disk file using the -w option) d) Perform a Nessus scan e) Find positive responses to these "open" ports in the tcpdump output Then please forward the output of "shorewall status" as an attachment along with the tcpdump output that shows the problem. Otherwise, your "open port" report is just so much FUD. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.7.2 - Release Date: 3/11/2005
Kyle Peterson wrote:> Sorry about the HTML thing. I''m not used to having to send in plain text. > > Here are the steps I preformed: > 1. Rebooted firewall > 2. shorewall reset > 3. Started tcpdump to dump to a log file. > 4. Ran Nessus scan > 5. Opened log file in ethereal and saved only a portion of the log. The portion I saved shows port 111 TCP as being open. I noticed it had the SYN flag set. > > I''m sort of new to this whole firewall thing and I am guessing that it''s normal behavior to let SYN packets through. > > Please take a look at the attached logfile and let me know if I have things right. >Did you also capture the output of "Shorewall status" as I asked? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > Did you also capture the output of "Shorewall status" as I asked? >Sorry -- I found it in my moderator queue -- it required moderation because of its size. I''ll not forward it on to the list but here''s what I found: Chain net2fw (1 references) pkts bytes target prot opt in out source destination 8254 3770K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 208 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 8 2076 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 state NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 34 1920 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 39 2220 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 36 2028 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 115 6860 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 78 4640 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 827 68956 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 The above rule is allowing ALL UDP TRAFFIC FROM THE NET TO YOUR FIREWALL. Check your /etc/shorewall/rules file 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 2464 124K net2all all -- * * 0.0.0.0/0 0.0.0.0/0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key