I'm posting to the list since I can't seem to get through to your email address. On Tuesday 10 September 2002 21.16, Jacob Fierberg wrote:
I did another nmap on the external ip and I also had the folks at GRC.com run a "sheildsup" scan of my firewall and found the following ports open (telnet, finger, pop3 and ident). According to them ftp is closed as well. Any ideas how to lock down the open ports?
grc.com is not reliable. It can show closed ports open and it can show open ports closed. Did the nmap results show the same? Was the nmap run from another machine, or did you run from localhost but you used the ip of the external NIC? Don't do that! Use another machine! ident is filtered by SuSEfirewall in a special way that make the port appear, but not used. This is because if it was completely blocked, some services on the net, such as mail, would take an enormous amount of time to run. The other services you mention are all controlled from inetd. You can check if they are used by grepping in /etc/inetd.conf grep telnet /etc/inetd.conf for instance, on my machine, gives # If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN # uplink), add "-n". See 'man telnetd' for more details. telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # Try "telnet localhost systat" and "telnet localhost netstat" to see that Lines 1,2 and 4 are obviously comments. The third line is the service line. If it starts with a # it isn't used. As you can see, my telnet is used. Is your telnet line uncommented? If it is, you'll know you can't trust the result of the scan. If the above doesn't help, use this command /sbin/iptables -L to see if the firewall rules are loaded at all. Post back to the list with your progress, or if you have more questions regards Anders