president@computerbasics.net
2002-Oct-01 20:24 UTC
[Shorewall-users] Port enabling & disabling.
My first post, I just signed up.
Slap me up side the head if the information is obvious, but after several hours
yesterday checking out online docs, FAQs, and samples, I''m still
looking.
I just installed mandrake 9.0 which includes Shorewall FW, I have been running
Mandrake 8.x which defaulted to bastille I believe.
I searched the conf files looking for port enabling/blocking files. Last time
I configured under 8.x I had 4 files, incoming allow & disallow, and
outgoing
allow & disallow naming specific ports or ranges of ports. The config files
for Shorewall appear understandable and supposedly my setup is closed to
everything but HTTP and SSH ports. I found where there are specifically named,
either in "policy" or "rules". I want to run TightVNC from
inside to control
my FW computer. I added loc to fw access with no success in connecting VNC, I
also tried adding ports 5900,5901,5902 to the existing HTTP open ports in the
config file. I restarted FW both times and was not successful.
I get security reports automatically emailed to me daily that show a bunch of
ports open, yet I don''t know what config file to use to shut them down.
Are there config files somewhere other than in Shorewall dir that control the
ports?
Thanks,
Derek
president@computerbasics.net wrote: > My first post, I just signed up. > > Slap me up side the head if the information is obvious, but after several hours > yesterday checking out online docs, FAQs, and samples, I''m still looking. > > I just installed mandrake 9.0 which includes Shorewall FW, I have been running > Mandrake 8.x which defaulted to bastille I believe. > > I searched the conf files looking for port enabling/blocking files Start at http://www.shorewall.net/shorewall_quickstart_guide.htm. > Last time > I configured under 8.x I had 4 files, incoming allow & disallow, and outgoing > allow & disallow naming specific ports or ranges of ports. The config files > for Shorewall appear understandable and supposedly my setup is closed to > everything but HTTP and SSH ports. I found where there are specifically named, > either in "policy" or "rules". I''m afraid I don''t know how Mandrake is configuring Shorewall by default so I can''t comment. In general: a) The zones, interfaces and hosts files partition the network into a set of zones. b) The policy file defines the default policy for connections between zones. c) The rules file is used to define exceptions to policy. > > Are there config files somewhere other than in Shorewall dir that control the > ports? > No -- Again, start at the URL above. Shorewall isn''t something that you install, click a couple of buttons and forget about. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
president@computerbasics.net wrote:> My first post, I just signed up. > > Slap me up side the head if the information is obvious, but after several hours > yesterday checking out online docs, FAQs, and samples, I''m still looking. > >Two minutes on the Mandrake web site shows me that there is a Security interface in the Mandrake Control Center. Have you looked there for a GUI interface to Shorewall? I know Mandrake has such a thing because I reviewed it for them several months ago but I don''t know if they included it in 9.0. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
president@computerbasics.net wrote:> Thanks for your replies. > > Yes, there is a GUI interface but it askes a couple questions such as which > servers will be running and that is it. It gives no specifics. I had selected > to have everything closed with the exception of http and ssh and I had presumed > that this would be the case. When it turned out not to be the case I started > research into port configs. I guess I''ll do more research and see if I can > find some way to control access to each specific port./etc/shorwall/rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net