Guys, After i got the port forwarding and everything else working as per my previous post, i ran a shields-up scan from grc.com on the firewall, i.e. a scan of the external interface. I m a little suprised at the results. On the firewall i have postfix running ( smtp port 26 ), openssh ( ssh port 22) and port forwarding of port 85 (on the firewall ) to an internal host. The Shields-Up scan shows port 26 as stealthed , port 22 as open and port 85 open as well. Port 113 ( ident auth ) was listed as close. My questions: 1. Why is the smtp port stealthed whilst other are open? 2. What about port 113 ? Any issues / comments. How do i get rid of it? regards, marco. ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On Tue, Dec 18, 2007 at 01:03:52AM -0800, Linux Advocate wrote:> After i got the port forwarding and everything else > working as per my previous post, i ran a shields-up > scan from grc.com on the firewall, i.e. a scan of the > external interface.Warning: this site is a worthless pile of junk, and has probably done more to retard the understanding of network security than anything else on record. Their ''scan'' is both inaccurate and unhelpful. If you want to know how your system behaves, do your own testing from a host on the outside. nmap, nc, and tcpdump are far more informative. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On Tue, 2007-12-18 at 09:48 +0000, Andrew Suffield wrote:> > If you want to know how your system behaves, do your own testing from > a host on the outside. nmap, nc, and tcpdump are far more informative.Andrew, While I am (luckily) no longer in his position, I have been in the past. Many people simply do not have access to another host on the Internet from which they can freely run network scanning and snooping tools like nmap, nc and tcpdump. b. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Linux Advocate wrote:> > My questions: > > 1. Why is the smtp port stealthed whilst other are > open?Two obvious questions: Why is postfix listening on port 26 rather than port 25? and, Do you have an ACCEPT or DNAT rule for port 26?> 2. What about port 113 ? Any issues / comments. How do > i get rid of it?RTFF (Read the fine FAQ) -- in this case, it is FAQ 4. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew, thanx for the headsup. Specifically what is wrong with that site? In what way is their scan inaccurate? I would like to warn some of my other buddies... --- Andrew Suffield <asuffield@suffields.me.uk> wrote:> On Tue, Dec 18, 2007 at 01:03:52AM -0800, Linux > Advocate wrote: > > After i got the port forwarding and everything > else > > working as per my previous post, i ran a > shields-up > > scan from grc.com on the firewall, i.e. a scan of > the > > external interface. > > Warning: this site is a worthless pile of junk, and > has probably done > more to retard the understanding of network security > than anything > else on record. Their ''scan'' is both inaccurate and > unhelpful. > > If you want to know how your system behaves, do your > own testing from > a host on the outside. nmap, nc, and tcpdump are far > more informative. > >-------------------------------------------------------------------------> SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services > for just about anything Open Source. >http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom,> > 1. Why is the smtp port stealthed whilst other are > > open? > > Two obvious questions: Why is postfix listening on > port 26 rather than port > 25?our isp has blocked port 25, therefore , we are using port 26, i have modified postfix ( postfix just for cron messages only , our office mail server is hosted off-site ) and also the smtp macro to this end.> Do you have an ACCEPT or DNAT rule for port > 26?in the policy file , i have set FW -> Net as accept, since postfix is running on the FW , this should cut it rite ?> > 2. What about port 113 ? Any issues / comments. > How do > > i get rid of it? > > RTFF (Read the fine FAQ) -- in this case, it is FAQ > 4.i hv read it before... nothing clicked.... but ....reading it again.... == > i get it now ! :) If in the policy file , i already have FW -> net , there is no need for me to add something in rules.. therefore should i conclude , its my postfix config which is wrong ? regards, marco ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Linux Advocate wrote:> Tom, > >>> 1. Why is the smtp port stealthed whilst other are >>> open? >> Two obvious questions: Why is postfix listening on >> port 26 rather than port >> 25? > > our isp has blocked port 25, therefore , we are using > port 26, i have modified postfix ( postfix just for > cron messages only , our office mail server is hosted > off-site ) and also the smtp macro to this end.Why???????> >> Do you have an ACCEPT or DNAT rule for port >> 26? > > in the policy file , i have set FW -> Net as accept, > since postfix is running on the FW , this should cut > it rite ?Sure -- but that is outbound. You aren''t opening port 26 inbound so your default net->fw (or net->all) DROP policy will stealth the port inbound.> >>> 2. What about port 113 ? Any issues / comments. >> How do >>> i get rid of it? >> RTFF (Read the fine FAQ) -- in this case, it is FAQ >> 4. > > i hv read it before... nothing clicked.... but > ....reading it again.... == > i get it now ! :) > > If in the policy file , i already have FW -> net , > there is no need for me to add something in rules.. > therefore should i conclude , its my postfix config > which is wrong ?I don''t think there is anything wrong with your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom , my replies below...> >>> 1. Why is the smtp port stealthed whilst other > are > >>> open? > >> Two obvious questions: Why is postfix listening > on > >> port 26 rather than port > >> 25? > > > > our isp has blocked port 25, therefore , we are > using > > port 26, i have modified postfix ( postfix just > for > > cron messages only , our office mail server is > hosted > > off-site ) and also the smtp macro to this end. > > Why???????1. the isp blocked port 25 nationwide , not just my office.> > > >> Do you have an ACCEPT or DNAT rule for port > >> 26? > > > > in the policy file , i have set FW -> Net as > accept, > > since postfix is running on the FW , this should > cut > > it rite ? > > Sure -- but that is outbound. You aren''t opening > port 26 inbound so your > default net->fw (or net->all) DROP policy will > stealth the port inbound.ok, i get this. the port is stealthed becos inbound connections are blocked. good , i understand now.> > If in the policy file , i already have FW -> net , > > there is no need for me to add something in > rules.. > > therefore should i conclude , its my postfix > config > > which is wrong ? > > I don''t think there is anything wrong with your > configuration. >ok. if the firewall is ok, then its must be my postfix config, postfix was working before i.e. i could get cron messages delivered to my yahoo acct. it stopped working just a few days ago.... i must have done something... helllll ... ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On Tue, Dec 18, 2007 at 08:10:47PM -0800, Linux Advocate wrote:> Andrew, thanx for the headsup. Specifically what is > wrong with that site? In what way is their scan > inaccurate? I would like to warn some of my other > buddies...Enumerating all of the ways in which it is alarmist marketing noise would take forever, but here''s a few examples:> Solicited TCP Packets: RECEIVED (FAILED) %Gâ%@ As detailed in > the port report below, one or more of your system''s ports actively > responded to our deliberate attempts to establish a connection. It > is generally possible to increase your system''s security by hiding > it from the probes of potentially hostile hackers.Sheer nonsense. The system is rejecting those connections, it is not magically somehow "more secure" if it doesn''t send a RST packet.> Ping Reply: RECEIVED (FAILED) %Gâ%@ Your system REPLIED to our > Ping (ICMP Echo) requests, making it visible on the Internet. Most > personal firewalls can be configured to block, drop, and ignore such > ping requests in order to better hide systems from hackers. This is > highly recommended since "Ping" is among the oldest and most common > methods used to locate systems prior to further exploitation.There are no recorded instances of people using ping to find systems to exploit. What would be the point? Ping is useful only to people who are trying to diagnose network faults, and disabling it causes nothing but harm to their efforts.> Secure Shell provides a secure-connection version of the Telnet > remote console service with additional features. Unfortunately, the > SSH services and their security add-on packages have a long history > of many widely exploited buffer overflow vulnerabilities.A long history of a whole two exploits in the past decade or so. What you have to realise is that grc.com is trying to sell you stuff (used to be zonealarm, I haven''t bothered to check what it is these days). It''s all about trying to convince you that a problem exists, so that you''ll pay for one of their ''solutions''. Even if you do manage to ''pass'' their tests, that doesn''t really mean anything because all they test are the low-valued TCP ports. There''s plenty of stuff in common use that doesn''t work that way, like bittorrent or DNS. If you want to test your firewall properly, you''re going to have to use something else anyway. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
thanx andrew. i m learning. i will pass the word around.... --- Andrew Suffield <asuffield@suffields.me.uk> wrote:> On Tue, Dec 18, 2007 at 08:10:47PM -0800, Linux > Advocate wrote: > > Andrew, thanx for the headsup. Specifically what > is > > wrong with that site? In what way is their scan > > inaccurate? I would like to warn some of my other > > buddies... > > Enumerating all of the ways in which it is alarmist > marketing noise > would take forever, but here''s a few examples: > > > > Solicited TCP Packets: RECEIVED (FAILED) %Gâ%@ > As detailed in > > the port report below, one or more of your > system''s ports actively > > responded to our deliberate attempts to establish > a connection. It > > is generally possible to increase your system''s > security by hiding > > it from the probes of potentially hostile hackers. > > Sheer nonsense. The system is rejecting those > connections, it is not > magically somehow "more secure" if it doesn''t send a > RST packet. > > > Ping Reply: RECEIVED (FAILED) %Gâ%@ Your > system REPLIED to our > > Ping (ICMP Echo) requests, making it visible on > the Internet. Most > > personal firewalls can be configured to block, > drop, and ignore such > > ping requests in order to better hide systems from > hackers. This is > > highly recommended since "Ping" is among the > oldest and most common > > methods used to locate systems prior to further > exploitation. > > There are no recorded instances of people using ping > to find systems > to exploit. What would be the point? Ping is useful > only to people who > are trying to diagnose network faults, and disabling > it causes nothing > but harm to their efforts. > > > Secure Shell provides a secure-connection version > of the Telnet > > remote console service with additional features. > Unfortunately, the > > SSH services and their security add-on packages > have a long history > > of many widely exploited buffer overflow > vulnerabilities. > > A long history of a whole two exploits in the past > decade or so. > > > What you have to realise is that grc.com is trying > to sell you stuff > (used to be zonealarm, I haven''t bothered to check > what it is these > days). It''s all about trying to convince you that a > problem exists, so > that you''ll pay for one of their ''solutions''. > > Even if you do manage to ''pass'' their tests, that > doesn''t really mean > anything because all they test are the low-valued > TCP ports. There''s > plenty of stuff in common use that doesn''t work that > way, like > bittorrent or DNS. If you want to test your firewall > properly, you''re > going to have to use something else anyway. > >-------------------------------------------------------------------------> SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services > for just about anything Open Source. >http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Linux Advocate wrote:> Tom , my replies below... > >>>>> 1. Why is the smtp port stealthed whilst other >> are >>>>> open? >>>> Two obvious questions: Why is postfix listening >> on >>>> port 26 rather than port >>>> 25? >>> our isp has blocked port 25, therefore , we are >> using >>> port 26, i have modified postfix ( postfix just >> for >>> cron messages only , our office mail server is >> hosted >>> off-site ) and also the smtp macro to this end. >> Why??????? > > 1. the isp blocked port 25 nationwide , not just my > office. > >Fine -- but what I was asking is why your are modifying the SMTP macro; you don''t even need to use it!!! And if you _did_ need to use it, you could do this: SMTP/ACCEPT foo bar - 26 which, IMO, is much clearer than invoking a modified SMTP macro that has nothing to do with the normal SMTP port (25). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom, Thanx for the pointer.> > > Fine -- but what I was asking is why your are > modifying the SMTP macro; > you don''t even need to use it!!! And if you _did_ > need to use it, you > could do this: > > SMTP/ACCEPT foo bar - 26 > > which, IMO, is much clearer than invoking a modified > SMTP macro that has > nothing to do with the normal SMTP port (25). > > -Tom____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Apparently Analagous Threads
- Want to log all ISP traffic to ULOG
- kernel panic with shorewall
- Hub/Spoke OpenVPN can't communicate from Client A to Client B - FORWARD:REJECT:IN=tun0 OUT=tun0
- FTP DNAT not working - "Server sent passive reply with unroutable address"
- Shorewall and LVS-NAT (via fwmark) nat'd machines can't access the outside world directly