Hi, I just upgraded from Mandrake 9.1 to 9.2 and discovered that ports 139 and 445 are accepted from the net even though my rules configuration is setup to only accept 80, 443 and 25. I ran the portscan from http://www.securitymetrics.com/portscan.adp, which tells me that the ports are "closed", not "stealth" as they used to be. I do not understand why. Can someone help me with this? My current Shorewall version is 1.48. Rules configuration: ACCEPT net fw tcp 80,443,25 - ACCEPT masq fw tcp 80,443,22,25,109,110,143,137,139,445,8080 - ACCEPT masq fw udp 137:139 - ACCEPT masq fw udp 1024: 137 ACCEPT fw masq tcp 137,139,445 - ACCEPT fw masq udp 137:139 - ACCEPT fw masq udp 1024: 137 ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,515,137,138,139 - ACCEPT fw masq udp 631,515,137,138,139 - Regards Mario Juric
On Wed, 31 Dec 2003, Mario Juric wrote:> Hi, > > I just upgraded from Mandrake 9.1 to 9.2 and discovered that ports 139 and > 445 are accepted from the net even though my rules configuration is setup to > only accept 80, 443 and 25. I ran the portscan from > http://www.securitymetrics.com/portscan.adp, which tells me that the ports > are "closed", not "stealth" as they used to be. I do not understand why. Can > someone help me with this? >Possibly Mandrake can -- You have upgraded from one version of Mandrake to another and now you are posting on the Shorewall list asking what went wrong. Does that seem right to you? Doesn''t to me. At any rate, you might look at FAQ #4 as I suspect that the answer to your question is there somewhere.> My current Shorewall version is 1.48. >No it isn''t -- there is no such Shorewall version. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi, Thank you answering so quickly. The reason why I addressed the Shorewall users list is because the problem is related to this component, and it first seemed natural to me that there might have been some issue with the new version of this component. You are right there is no version 1.48, the "shorewall version" command tells me that it is version 1.4.8. I apologize for the type error. There could of course also be an issue with some other component in the Mandrake upgrade, which is likely as well, like there could be an issue with the portscan software at www.securitymetrics.com. I tested the later by trying other portscan services, which came up with the same result. I have without success searched the mandrake site and the web for anything describing a similar problem just to get an indication where the problem actually is. Finally, I have decided to revert to my backed up 9.1 installation. If anyone runs into similar problems and finds some answers, please send me a notice. Thanks. Regards Mario Juric -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: 31. december 2003 04:41 To: Mailing List for Experienced Shorewall Users Subject: Re: [Shorewall-users] Ports 139 and 445 are accepted after upgrade On Wed, 31 Dec 2003, Mario Juric wrote:> Hi, > > I just upgraded from Mandrake 9.1 to 9.2 and discovered that ports 139 and > 445 are accepted from the net even though my rules configuration is setupto> only accept 80, 443 and 25. I ran the portscan from > http://www.securitymetrics.com/portscan.adp, which tells me that the ports > are "closed", not "stealth" as they used to be. I do not understand why.Can> someone help me with this? >Possibly Mandrake can -- You have upgraded from one version of Mandrake to another and now you are posting on the Shorewall list asking what went wrong. Does that seem right to you? Doesn''t to me. At any rate, you might look at FAQ #4 as I suspect that the answer to your question is there somewhere.> My current Shorewall version is 1.48. >No it isn''t -- there is no such Shorewall version. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wednesday 31 December 2003 04:20 am, Mario Juric wrote:> > I have without success searched the mandrake site and the web for anything > describing a similar problem just to get an indication where the problem > actually is. Finally, I have decided to revert to my backed up 9.1 > installation. If anyone runs into similar problems and finds some answers, > please send me a notice. Thanks. >Mario, if you would install a fresh version of Shorewall right out of the box it would work exactly as your report (see FAQ #4). The fact that it didn''t work that way before the upgrade suggests to me that either: a) you (or possibly Mandrake) modified the /etc/shorewall/common.def file in that you were previously using. When you upgraded, a new common.def file overwrote your old one and the default behavior was restored; or b) you (or possibly Mandrake) had previously created /etc/shorewall/common and added a set of rules that dropped SMB noise and that file is no longer present after the upgrade; or c) you were previously running an old enough version of Shorewall that ports 139 and 445 weren''t REJECTed (but it would have had to have been *quite* old). In any event, the port-scan results that you report DO NOT MEAN THAT THERE IS A SECURITY HOLE. In merely means that your firewall is REJECTing connection requests on these ports rather than ignoring them. Finally, I''ve had so many people report this "bug" in Shorewall that I''ve given up; in Shorewall 1.4.9 Shorewall will silently drop all Windows SMB noise rather than reject it so that I don''t get more of these "There is a horrible hole in my firewall" reports. So if you upgrade to the 1.4.9 Beta (either 1 or 2), you will eliminate this non-problem once and for all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net