Hi, I''m a home user who doesn''t understand the workings of the Shorewall firewall (or the linux OS on which I''ve just installed it) very well. Having just installed Shorewall 1.4.6c with a default "home user" configuration I gave it a run against the online ShieldsUp scan. Main surprise was that the ICMP echo was enabled. I''ve since gone into /etc/shorewall/rules and changed (the only entry it contained) from: ACCEPT net fw icmp 8 to: DROP net fw icmp 8 Any ''ping'' attempts are now ignored which apparently is deemed desirable - but is that what I want ? Afaik, it *is*, but I''m half expecting that since the default was set to ''ACCEPT'', there may well be a good reason for having it configured that way. ''ShieldsUP'' seems to consider that all ports should be ''stealth''. Of the first 1056 ports on this box all but 3 of them are ''stealth''. Those 3 are ports 113, 139, and 445 which show up as ''closed'' and are thus detectable. Should I be amending my shorewall configuration so that those 3 ports show up as stealth (as suggested by ShieldsUp) or are there good reasons that they should remain closed ? Cheers, Rob -- Any emails containing attachments will be deleted from my ISP''s mail server before I even get to see them. If you wish to email me an attachment, please provide advance warning so that I can make the necessary arrangements.
On Sat, 2003-09-27 at 01:28, Sisyphus wrote:> > Any ''ping'' attempts are now ignored which apparently is deemed desirable > - but is that what I want ? Afaik, it *is*, but I''m half expecting that > since the default was set to ''ACCEPT'', there may well be a good reason > for having it configured that way.Yes -- If I don''t enable ''ping'' by default, I get a dozen posts/week complaining "Ping doesn''t work!". With the current default, I get a couple of posts a year asking "Why is ping enabled by default?". For complete information about Ping, at the Shorewall site click "Documentation" in the left pane; there you will find an alphabetic index to the documentation. The entry entitled "''Ping'' Management" gives complete information about Shorewall and ''ping'' control.> > ''ShieldsUP'' seems to consider that all ports should be ''stealth''. Of the > first 1056 ports on this box all but 3 of them are ''stealth''. Those 3 > are ports 113, 139, and 445 which show up as ''closed'' and are thus > detectable. Should I be amending my shorewall configuration so that > those 3 ports show up as stealth (as suggested by ShieldsUp) or are > there good reasons that they should remain closed ?Please see the FAQs under the bold heading "Open Ports". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-09-27 at 01:28, Sisyphus wrote:> > ''ShieldsUP'' seems to consider that all ports should be ''stealth''. Of the > > first 1056 ports on this box all but 3 of them are ''stealth''. Those 3 > > are ports 113, 139, and 445 which show up as ''closed'' and are thus > > detectable. Should I be amending my shorewall configuration so that > > those 3 ports show up as stealth (as suggested by ShieldsUp)You also have to considder just how seriously you want to take the shields up site. The guy is basically a window guy and his advice is not usually appropriate for a linux firewall, or linux in general. Even when used as a desktop machine you are likely to have ports for sendmail ssh ipp and perhaps a couple others "open" (as he describes it). He redflags these and jumps up and down about it. With a netstat -anp command you can find out as much about your computer as shields up will tell you. -- John Andersen - NORCOM http://www.norcomsoftware.com/
> On Sat, 2003-09-27 at 01:28, Sisyphus wrote: > > > ''ShieldsUP'' seems to consider that all ports should be ''stealth''. Ofthe> > > first 1056 ports on this box all but 3 of them are ''stealth''. Those 3 > > > are ports 113, 139, and 445 which show up as ''closed'' and are thus > > > detectable. Should I be amending my shorewall configuration so that > > > those 3 ports show up as stealth (as suggested by ShieldsUp) >> You also have to considder just how seriously you want to take > the shields up site. The guy is basically a window guy and his > advice is not usually appropriate for a linux firewall, or linux > in general. > > Even when used as a desktop machine you are likely to have > ports for sendmail ssh ipp and perhaps a couple others "open" > (as he describes it). He redflags these and jumps up and > down about it. > > With a netstat -anp command you can find out as much about > your computer as shields up will tell you. > > -- > John Andersen - NORCOM<snip> I thought I remember Tom warning about ftp trouble on some ports if you drop them so some have to be closed as I recall and I believe they are in common.def file. I have samba,ssh,apache,poptop,openvpn on this server. The only needed outsite ports will be ssh and webmin Here is a cut of netstat I am not sure how to read this is it a simple explanation? Thanks, Mike [root@ns2 root]# netstat -anp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN 516/rpc.statd tcp 0 0 127.0.0.1:32769 0.0.0.0:* LISTEN 1470/xinetd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1601/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 497/portmap tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1644/perl tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1524/httpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1456/sshd tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 1733/(squid) tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1493/sendmail: acce tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1524/httpd tcp 0 0 127.0.0.1:32781 127.0.0.1:32780 ESTABLISHED 1733/(squid) tcp 0 0 127.0.0.1:32780 127.0.0.1:32781 ESTABLISHED 1734/(squidGuard) tcp 0 0 127.0.0.1:32783 127.0.0.1:32782 ESTABLISHED 1733/(squid) tcp 0 0 127.0.0.1:32782 127.0.0.1:32783 ESTABLISHED 1735/(squidGuard) tcp 0 0 127.0.0.1:32785 127.0.0.1:32784 ESTABLISHED 1733/(squid) tcp 0 0 127.0.0.1:32784 127.0.0.1:32785 ESTABLISHED 1736/(squidGuard) tcp 0 0 127.0.0.1:32787 127.0.0.1:32786 ESTABLISHED 1733/(squid) tcp 0 0 127.0.0.1:32786 127.0.0.1:32787 ESTABLISHED 1737/(squidGuard) tcp 0 0 127.0.0.1:32789 127.0.0.1:32788 ESTABLISHED 1733/(squid) tcp 0 0 127.0.0.1:32788 127.0.0.1:32789 ESTABLISHED 1738/(squidGuard) tcp 0 0 10.5.198.20:22 10.5.198.21:3953 ESTABLISHED 2277/sshd tcp 0 144 10.5.198.20:22 10.5.198.21:3952 ESTABLISHED 2238/sshd tcp 0 0 10.5.198.20:139 10.5.198.21:3699 ESTABLISHED 2141/smbd udp 0 0 0.0.0.0:32768 0.0.0.0:* 516/rpc.statd udp 0 0 0.0.0.0:32769 0.0.0.0:* 1733/(squid) udp 0 0 127.0.0.1:32770 0.0.0.0:* 2141/smbd udp 0 0 64.42.49.235:137 0.0.0.0:* 1605/nmbd udp 0 0 10.5.198.20:137 0.0.0.0:* 1605/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 1605/nmbd udp 0 0 64.42.49.235:138 0.0.0.0:* 1605/nmbd udp 0 0 10.5.198.20:138 0.0.0.0:* 1605/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 1605/nmbd udp 0 0 0.0.0.0:10000 0.0.0.0:* 1644/perl udp 0 0 0.0.0.0:3130 0.0.0.0:* 1733/(squid) udp 0 0 64.42.49.235:7777 0.0.0.0:* 16866/openvpn udp 0 0 0.0.0.0:111 0.0.0.0:* 497/portmap Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 2561 1592/xfs /tmp/.font-unix/fs7100 unix 14 [ ] DGRAM 902 476/syslogd /dev/log unix 2 [ ACC ] STREAM LISTENING 2415 1513/gpm /dev/gpmctl unix 2 [ ] DGRAM 20688 16866/openvpn unix 3 [ ] STREAM CONNECTED 8035 2277/sshd unix 3 [ ] STREAM CONNECTED 8034 2279/sftp-server unix 3 [ ] STREAM CONNECTED 8033 2277/sshd unix 3 [ ] STREAM CONNECTED 8032 2279/sftp-server unix 2 [ ] DGRAM 3293 1730/squid unix 2 [ ] DGRAM 2675 1644/perl unix 2 [ ] DGRAM 2651 1634/rhnsd unix 2 [ ] DGRAM 2564 1592/xfs unix 2 [ ] DGRAM 2464 1533/crond unix 2 [ ] DGRAM 2405 1503/clientmqueue unix 2 [ ] DGRAM 2387 1493/sendmail: acce unix 2 [ ] DGRAM 2323 1470/xinetd unix 2 [ ] DGRAM 2086 1418/apmd unix 2 [ ] DGRAM 962 516/rpc.statd unix 2 [ ] DGRAM 910 480/klogd
On Sunday 28 September 2003 03:17 pm, Mike Lander wrote:> tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN > 516/rpc.statd > tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN > 1601/smbd > tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN > 497/portmap > tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN > 1644/perl > tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN > 1524/httpd > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > 1456/sshd > tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN > 1733/(squid) > tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN > 1493/sendmail: acce > tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN > 1524/httpdThis lists the ports that are listening on all interfaces... 32768 rpc.statd 139 smbd 111 portmap 10000 perl 80 httpd 22 sshd 3128 squid 25 sendmail 443 httpd So from that I can deduce that you have a web server running but I can''t connect to you at 64.42.49.235, so I assume your shorewall is blocking it. One has to wonder why run it if you age going to block it. -- John Andersen - NORCOM http://www.norcomsoftware.com/
Tom Eastep wrote:> > Yes -- If I don''t enable ''ping'' by default, I get a dozen posts/week > complaining "Ping doesn''t work!". With the current default, I get a > couple of posts a year asking "Why is ping enabled by default?".Takes care of that one for another 6 months :-)> For > complete information about Ping, at the Shorewall site click > "Documentation" in the left pane; there you will find an alphabetic > index to the documentation. The entry entitled "''Ping'' Management" gives > complete information about Shorewall and ''ping'' control. >I had read that - but my ignorance still had me feeling a little uneasy about what I *really* wanted. Thanks for clearing that up.> > Please see the FAQs under the bold heading "Open Ports".Sorry - missed that one. Thanks Tom. Thanks also to John for providing some perspective on the ShieldsUp scan. Cheers, Rob -- Any emails containing attachments will be deleted from my ISP''s mail server before I even get to see them. If you wish to email me an attachment, please provide advance warning so that I can make the necessary arrangements.
Subject: Re: [Shorewall-users] ShieldsUp scan> > This lists the ports that are listening on all interfaces... > 32768 rpc.statd > 139 smbd > 111 portmap > 10000 perl > 80 httpd > 22 sshd > 3128 squid > 25 sendmail > 443 httpd > > So from that I can deduce that you have a web server running > but I can''t connect to you at 64.42.49.235, so I assume your > shorewall is blocking it. One has to wonder why run it if you age going > to block it. > > -- > John Andersen - NORCOM > http://www.norcomsoftware.com/Thanks John, I run apache with squid proxy for a redirect on Lan''s. To inform who is trying to visit an unauthorized website Squid also logs unauthorized web sites. It has done a great job at cutting down on bandwidth and junk that people visit and download in production networks. The webserver is an overkill for this purpose I agree. I personally use asp, javascript, SQL and IIS for production web servers. Just because of VB and ASP experiance, I don''t use web servers on the lan for public use. Mike
On Monday 29 September 2003 01:17, Mike Lander wrote:> [root@ns2 root]# netstat -anp[output snipped] Why all these open ports on all interfaces when it''s not needed? Make every daemon that is able to only listen on the interface(s) it needs to, listen on only these. The best system is one you don''t need a firewall for because all ports that need to be closed already are and all ports that are open need to stay open for a functioning system. Alex
On Sun, 2003-09-28 at 03:54, Alexander Gretencord wrote:> On Monday 29 September 2003 01:17, Mike Lander wrote: > > [root@ns2 root]# netstat -anp > [output snipped] > > Why all these open ports on all interfaces when it''s not needed? Make every > daemon that is able to only listen on the interface(s) it needs to, listen on > only these. The best system is one you don''t need a firewall for because all > ports that need to be closed already are and all ports that are open need to > stay open for a functioning system.Which brings us back to my original point -- if there are no services exposed to the internet at all then it makes absolutely no difference if a few ports respond to connections requests with RST since there is nothing on the firewall to exploit. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net