I''m trying to make my shorewall only allow access to http. So I made a default reject policy and rules to allow port 80 and 443 outgoing. Now I know http uses other ports but I have no clue which ports I also need to open. Sorry for my ignorance but please help me, I tried lot''s and got nowhere.
the_activ@activ.dhs.org wrote ..> I''m trying to make my shorewall only allow access to http. > So I made a default reject policy and rules to allow port 80 and 443 > outgoing. Now I know http uses other ports but I have no clue which ports > I also need to open. > Sorry for my ignorance but please help me, I tried lot''s and got nowhere. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmHello, assuming you are using Apache no other ports are needed. What are the Apache directives: Listen and Port set to? Remember the default Shorewall policy is to have all ports closed and then only open those needed. This problem should be straight forward. You really have not stated your problem or what is or is not working for you. Here are my rules for my public nic: ACCEPT:debug net fw tcp 80 - ACCEPT:debug fw net tcp 80 - Rules for port 443 would be similar. HTH, David.
the_activ@activ.dhs.org wrote:> I''m trying to make my shorewall only allow access to http. > So I made a default reject policy and rules to allow port 80 and 443 > outgoing. Now I know http uses other ports but I have no clue which > ports I also need to open. Sorry for my ignorance but please help me, > I tried lot''s and got nowhere.Yes they can use other ports. As standard though http uses port 80 and https uses port 443. The only need you have to open other ports is if the server you are running or want to connect to, is configured to use other ports than these two. If you use a proxy server (such as squid on port 3128) you will have to open that port though. If you want all traffic to go through the proxy you will have to configure you fw so only that have access to the net and your internal traffic can''t access the net direct on ports 80/443. It is common to use other ports, such as 8080 or 8081, for dev environments and so on. If that is the case you will have to open those ports too. There is no standard here and virtually any port, though you should not use ports up to 1024, can be used for http/https, it all up to what is configured in the webserver. To this you also have other applications such as SWAT (samba) and webmin that provides a browser gui. They normally use ports 901/10000. If you have any of them you will need to open up for them to. I use both, but they are only accessible from inside the firewall, not outside. Hope this helps, /Thomas
the_activ@activ.dhs.org wrote:> > I''m trying to make my shorewall only allow access to http. > So I made a default reject policy and rules to allow port 80 and 443 > outgoing. Now I know http uses other ports but I have no clue which ports > I also need to open. > Sorry for my ignorance but please help me, I tried lot''s and got nowhere.Sounds like you want to only allow http through your firewall, coming from your subnet, rejecting all else. If your policy''s file looks like this: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net DROP # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT net all DROP ULOG all all REJECT ULOG #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE and your rules file like this: ACCEPT loc net tcp 80 ACCEPT loc net tcp 443 should be no problem, since reply packets coming in, at your own request by adding those ACCEPT rules, will be allowed through automatically. -- Patrick Benson Stockholm, Sweden
On Sunday 25 January 2004 04:01 am, Patrick Benson wrote:> > and your rules file like this: > > ACCEPT loc net tcp 80 > ACCEPT loc net tcp 443 > > should be no problem, since reply packets coming in, at your own request > by adding those ACCEPT rules, will be allowed through automatically.What about DNS? ACCEPT loc net udp 53 ACCEPT loc net tcp 53 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> What about DNS? > > ACCEPT loc net udp 53 > ACCEPT loc net tcp 53Ummmmmm......................your right, forgot! :-) -- Patrick Benson Stockholm, Sweden
The problem is I''m not able to access webpages although I have port 80 set to open. So my situation is (simplified) Policy: All port ingoing and outgoing are closed. Rule allow outgoing port 80 and 443. Now if I open a browser and go to google (or any other page) and can''t access it. I asume this is due to http using ports other than 80 to send data back. I hope I''ve clarified this a bit.> the_activ@activ.dhs.org wrote .. >> I''m trying to make my shorewall only allow access to http. >> So I made a default reject policy and rules to allow port 80 and 443 >> outgoing. Now I know http uses other ports but I have no clue which >> ports >> I also need to open. >> Sorry for my ignorance but please help me, I tried lot''s and got >> nowhere. >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm > Hello, assuming you are using Apache no other ports are needed. What are > the Apache directives: Listen and Port set to? Remember the default > Shorewall policy is to have all ports closed and then only open those > needed. This problem should be straight forward. You really have not > stated your problem or what is or is not working for you. Here are my > rules for my public nic: > > ACCEPT:debug net fw tcp 80 - > ACCEPT:debug fw net tcp 80 - > > Rules for port 443 would be similar. > HTH, David. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
Sounds like your browser cannot do a DNS lookup. Are you allowing DNS requests out? ----- Original Message ----- From: <the_activ@activ.dhs.org> To: "Mailing List for Experienced Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, January 26, 2004 9:40 PM Subject: Re: [Shorewall-users] Which ports for http? The problem is I''m not able to access webpages although I have port 80 set to open. So my situation is (simplified) Policy: All port ingoing and outgoing are closed. Rule allow outgoing port 80 and 443. Now if I open a browser and go to google (or any other page) and can''t access it. I asume this is due to http using ports other than 80 to send data back. I hope I''ve clarified this a bit.> the_activ@activ.dhs.org wrote .. >> I''m trying to make my shorewall only allow access to http. >> So I made a default reject policy and rules to allow port 80 and 443 >> outgoing. Now I know http uses other ports but I have no clue which >> ports >> I also need to open. >> Sorry for my ignorance but please help me, I tried lot''s and got >> nowhere. >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm > Hello, assuming you are using Apache no other ports are needed. What are > the Apache directives: Listen and Port set to? Remember the default > Shorewall policy is to have all ports closed and then only open those > needed. This problem should be straight forward. You really have not > stated your problem or what is or is not working for you. Here are my > rules for my public nic: > > ACCEPT:debug net fw tcp 80 - > ACCEPT:debug fw net tcp 80 - > > Rules for port 443 would be similar. > HTH, David. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Monday 26 January 2004 11:40 am, the_activ@activ.dhs.org wrote:> The problem is I''m not able to access webpages although I have port 80 set > to open. > So my situation is (simplified) > Policy: All port ingoing and outgoing are closed. > Rule allow outgoing port 80 and 443. > > Now if I open a browser and go to google (or any other page) and can''t > access it. I asume this is due to http using ports other than 80 to send > data back.Until you also open DNS (udp and tcp port 53), you are not going to be able to use a web browser. I sent you the appropriate rules in my last post on this subject. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
It was right in front of my nose... you''re absolutelly right.> Sounds like your browser cannot do a DNS lookup. Are you allowing DNS > requests out? > > ----- Original Message ----- > From: <the_activ@activ.dhs.org> > To: "Mailing List for Experienced Shorewall Users" > <shorewall-users@lists.shorewall.net> > Sent: Monday, January 26, 2004 9:40 PM > Subject: Re: [Shorewall-users] Which ports for http? > > > The problem is I''m not able to access webpages although I have port 80 set > to open. > So my situation is (simplified) > Policy: All port ingoing and outgoing are closed. > Rule allow outgoing port 80 and 443. > > Now if I open a browser and go to google (or any other page) and can''t > access it. I asume this is due to http using ports other than 80 to send > data back. > I hope I''ve clarified this a bit. > > > >> the_activ@activ.dhs.org wrote .. >>> I''m trying to make my shorewall only allow access to http. >>> So I made a default reject policy and rules to allow port 80 and 443 >>> outgoing. Now I know http uses other ports but I have no clue which >>> ports >>> I also need to open. >>> Sorry for my ignorance but please help me, I tried lot''s and got >>> nowhere. >>> _______________________________________________ >>> Shorewall-users mailing list >>> Post: Shorewall-users@lists.shorewall.net >>> Subscribe/Unsubscribe: >>> https://lists.shorewall.net/mailman/listinfo/shorewall-users >>> Support: http://www.shorewall.net/support.htm >>> FAQ: http://www.shorewall.net/FAQ.htm >> Hello, assuming you are using Apache no other ports are needed. What are >> the Apache directives: Listen and Port set to? Remember the default >> Shorewall policy is to have all ports closed and then only open those >> needed. This problem should be straight forward. You really have not >> stated your problem or what is or is not working for you. Here are my >> rules for my public nic: >> >> ACCEPT:debug net fw tcp 80 - >> ACCEPT:debug fw net tcp 80 - >> >> Rules for port 443 would be similar. >> HTH, David. >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> >> > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >