AW: [suse-security] Hi @ll -----> I have problems with my fire wall
hi, isn't nfs 111 (portmap) and 2049 (nfs itself)? i think those ports worked for me. regards, stefan -----Ursprüngliche Nachricht----- Von: Ralf Koch [mailto:info@formel4.de] Gesendet: Donnerstag, 04. Oktober 2001 00:36 An: suse-security@suse.com Betreff: Re: [suse-security] Hi @ll -----> I have problems with my firewall Hi Rüdiger.
On my server a 2.4 kernel with an iptables firewall is running. I have already set up a few rules but there are still problems downloading my emails. It takes about 15 seconds to look if there's mail, without firewall it only takes half a second.
That's the good old port 113 problem. Setup a rule to reject incoming TCP 113 and you are fine with that. (That's kind of a FAQ)
Another problem is that i can reach neither an internal nor an external pc using ssh.
[...] ### SSHserver TCP freigabe! ### iptables -A INPUT -p TCP --dport 22 -j ACCEPT iptables -A OUTPUT -p TCP --sport 22 -j ACCEPT ### SSHserver UDP freigabe! ### iptables -A INPUT -p UDP --dport 22 -j ACCEPT iptables -A OUTPUT -p UDP --sport 22 -j ACCEPT [...]
Ok, your rules allow incoming SSH connections from anywhere to this server. To allow outgoing connections simply enter: iptables -A OUTPUT -p TCP --dport 22 -j ACCEPT iptables -A INPUT -p TCP --sport 22 -j ACCEPT But why do you open Port 22 UDP? I don't remember SSH using UDP connections.
When my firewall is up I can't use the nfs drive.
Ummm. Somebody for the nfs ports? I actually don't remember the correct port numbers....
Who can help me solving these problems???
Hmmm. Having a deeper look on your rules, there's a lot obsolete stuff. Soory for me not helping you with that, but I'm still using ipchains and won't give you wrong answers. Anybody else for cleaning up the iptables configuration? Cheers, Ralf -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* Peer Stefan wrote on Thu, Oct 04, 2001 at 08:39 +0200:
isn't nfs 111 (portmap) and 2049 (nfs itself)? i think those ports worked
Isn't it dynamic? Usually that is what portmapper is for :). Is it possible to use a fixed port for nfs, yp* and co? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
rpc is 111. nfs is 2049. rpc services are typically dynamic (although many
are also static). yp/etc use rpc to glue it together. I mean otherwise you'd
be blindly sending off packets to a server hoping an rpc service is
listening on some random port =) You have to leave 111 available typically
so they can figure out what's up.
Kurt
----- Original Message -----
From: "Steffen Dettmer"
isn't nfs 111 (portmap) and 2049 (nfs itself)? i think those ports worked
Isn't it dynamic? Usually that is what portmapper is for :). Is it possible to use a fixed port for nfs, yp* and co? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* Kurt Seifried wrote on Thu, Oct 04, 2001 at 03:47 -0600:
rpc is 111. nfs is 2049.
On _your_ linux host running kfsd this may be true. But I couldn't firewall it, since it may change. IIRC uses user-space NFS a different port, for instance.
rpc services are typically dynamic (although many are also static).
"some may be static for some time under certaint circumstance".
yp/etc use rpc to glue it together. I mean otherwise you'd be blindly sending off packets to a server hoping an rpc service is listening on some random port =)
That's for the portmapper is for. But first it's not really secure, and second a firewall will not query portmapper to learn what port is allowed (in case of yp) or prohibited (in case of i.e. ypxfr).
You have to leave 111 available typically so they can figure out what's up.
Of course. And to go for sure, I have to open all other ports, since RPC may use port 998 oder 2048. Open all ports is not a nice firewall :) [full quote cut] oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi, On Thursday 04 October 2001 13:08, you wrote:
* Kurt Seifried wrote on Thu, Oct 04, 2001 at 03:47 -0600:
rpc is 111. nfs is 2049.
On _your_ linux host running kfsd this may be true. But I couldn't firewall it, since it may change. IIRC uses user-space NFS a different port, for instance.
No. User-space NFS uses 2049. Just make sure it is listed in /etc/services, it will happily use that port.
rpc services are typically dynamic (although many are also static).
[snipped]
Of course. And to go for sure, I have to open all other ports, since RPC may use port 998 oder 2048. Open all ports is not a nice firewall :)
Do you mean mountd? Well, rpc.mountd uses random ports _unless_ you put a fixed port in /etc/services. E.g. mount 755/tcp mount 755/udp would mean rpc.mountd will _always_ use this port. Makes firewalling much easier. I'm not sure if you can trick other rpc services in the same way, but I haven't checked them all. I know for sure it's working for mountd.
oki,
Steffen
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
* Martin Leweling wrote on Thu, Oct 04, 2001 at 13:28 +0200:
Do you mean mountd? Well, rpc.mountd uses random ports _unless_ you put a fixed port in /etc/services. E.g. mount 755/tcp mount 755/udp would mean rpc.mountd will _always_ use this port. Makes firewalling much easier.
Hey, CooL! That is the trick! I put on my home server (it's saturday :)) nfs into service, and nfs used the port. Well, no YP here, will try it but looks optimistic. Thank you, this was one of the most important tips for me!! CooL. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Kurt Seifried -
Martin Leweling -
Peer Stefan -
Steffen Dettmer