Hallo, I have problems with my ipchains firewall. When I run a portscan with nmapwin to my linux box form the internet it shows me the following ports as open: 7/tcp open echo 9/tcp open discard 13/tcp open daytime 17/tcp open qotd 18/tcp open msp 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 43/tcp open whois 53/tcp open domain 70/tcp open gopher 79/tcp open finger 80/tcp open http 81/tcp open hosts2-ns 88/tcp open kerberos-sec 109/tcp open pop-2 110/tcp open pop-3 113/tcp open auth 119/tcp open nntp 139/tcp open netbios-ssn 143/tcp open imap2 389/tcp open ldap 443/tcp open https 465/tcp open smtps 513/tcp open login 554/tcp open rtsp 563/tcp open snews 569/tcp open ms-rome 636/tcp open ldapssl 749/tcp open kerberos-adm 993/tcp open imaps 995/tcp open pop3s 1002/tcp open unknown 1494/tcp open citrix-ica 1720/tcp open H.323/Q.931 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-term-serv 5190/tcp open aol 5400/tcp open pcduo-old 6667/tcp open irc 7000/tcp open afs3-fileserver 7070/tcp open realserver 10000/tcp open snet-sensor-mgmt 12000/tcp open cce4x The only services that are running to the outside Sshd Httpd Ftpd There are other services but not reachable form outside: Smtp Imap Squid Webmin The rest is definitely blocked by the firewall rules (only to outside interface). The firewall log shows that the ports are blocked. I see the portscan and I see that, for example, Port 25 is denied. Wired: On Port 10000 i've webmin running only reachable from the inside. Why does nmap show snet-sensor-mgmt ???? Why shows nmapwin (and other port scanners) that so many ports are in the state OPEN??? By the way when I start nmap locally on the firewall then it shows the correct ports open Sshd Httpd Ftpd Smtp Imap Squid webmin Best regards Volker
* Volker Spies wrote on Wed, Nov 27, 2002 at 10:58 +0100:
When I run a portscan with nmapwin to my linux box form the internet it shows me the following ports as open:
[...]
23/tcp open telnet 25/tcp open smtp [...]
The rest is definitely blocked by the firewall rules (only to outside interface). The firewall log shows that the ports are blocked. I see the portscan and I see that, for example, Port 25 is denied.
Maybe the mnap of this host is just broken or such? I use REJECT (also ipchains) as policy, and mnap from outside shows what I expect.
Wired: On Port 10000 i've webmin running only reachable from the inside. Why does nmap show snet-sensor-mgmt ????
What kind of policy do you use for reject/deny and what type of scan? What happens when you i.e. telnet to your box? With REJECT, I get a connection refused immediatly.
Why shows nmapwin (and other port scanners) that so many ports are in the state OPEN???
Maybe it's broken... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi Volker Spies,
The rest is def initely blocked by the firewall rules (only to outside interface). The firewall log shows that the ports are blocked. I see the portscan and I see that, for example, Port 25 is denied.
to denie port 25 (smtp) is not a good idea. Port 109 (pop2) you can denie. The pop2-protokoll is older than pop3. Pop3 is the default for geting mails via dial-up. If you have a mailserver in your DMZ you can disable pop3 to outside. The mailexchanging between the mailservers is used by smtp (by default). Some other I've sean in your portscan-protokoll. Why you are using MS-Terminal-Server in addition to the Citrix ICA-Client. I have heard that Terminal-Server produce much more traffic over the lan than Citrix. The reason for this is that terminalserver is sending every changing of the screen (the new picture completely) to the thin-client. Citrix only sends the difference between the screenpictures. So the traffic sends by using citrix is much more reduced than using terminalserver. Regards, Ruprecht ---------------------------------- Ruprecht Helms IT-Service und Softwareentwicklung Tel/Fax.: +49[0]7621 16 99 16 Homepage: http://www.rheyn.de email: info@rheyn.de ----------------------------------
* Ruprecht Helms wrote on Wed, Nov 27, 2002 at 11:39 +0100:
to denie port 25 (smtp) is not a good idea.
Can you please explain that? I happily block tcp/25 on all servers except mailservers.
dial-up. If you have a mailserver in your DMZ you can disable pop3 to outside.
And if I have a POP3 server in the LAN I cannot block?! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi Steffen Dettmer,
Can you please explain that? I happily block tcp/25 on all servers except mailservers.
that is ok. I ment that you have blocked it on the central firewall.
dial-up. If you have a mailserver in your DMZ you can disable pop3 to outside.
And if I have a POP3 server in the LAN I cannot block?!
I don't think so or we talk about different. I wrote to block to outside and not to your internal LAN. If you have the POP3-Server in your DMZ than you enable it to use from inside, but block it to outside. The only reason to give the using of the pop3-server free to use from outside is than your company have employees that have to do with customers and make a lots of visits by the customers and need to read everytime the companymails. Regards, Ruprecht ---------------------------------- Ruprecht Helms IT-Service und Softwareentwicklung Tel/Fax.: +49[0]7621 16 99 16 Homepage: http://www.rheyn.de email: info@rheyn.de ----------------------------------
* Ruprecht Helms wrote on Wed, Nov 27, 2002 at 13:50 +0100:
Can you please explain that? I happily block tcp/25 on all servers except mailservers.
that is ok.
Thank you.
I ment that you have blocked it on the central firewall.
I think it's my choice where I block unwanted packets. You wrote:
to denie port 25 (smtp) is not a good idea.
I did not understood that this was meant as "You have to block port 25 on the central firewall.", sorry.
dial-up. If you have a mailserver in your DMZ you can disable pop3 to outside.
And if I have a POP3 server in the LAN I cannot block?!
I don't think so or we talk about different. I wrote to block to outside and not to your internal LAN.
I does not depends of the location of the POP3 server. You can and should block POP3 for anything you don't want, if you have no external clients, you can block it completly, no matter if the server resides in DMZ or where ever.
If you have the POP3-Server in your DMZ than you enable it to use from inside, but block it to outside.
Ohh, I see, you suggest to allow the service for the internal permitted sources. Yes, of course, I though this is clear.
The only reason to give the using of the pop3-server free to use from outside is than your company have employees that have to do with customers and make a lots of visits by the customers and need to read everytime the companymails.
Well, if you have no other chance... I would prefere to set up another POP3 server or use one from some ISP. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi Steffen Dettmer,
Can you please explain that? I happily block tcp/25 on all servers except mailservers.
that is ok.
Thank you.
I ment that you have blocked it on the central firewall.
sorry I thought.
I think it's my choice where I block unwanted packets. You wrote:
Of course we all are free in doing.
to denie port 25 (smtp) is not a good idea.
I did not understood that this was meant as "You have to block port 25 on the central firewall.", sorry.
I mean that port must be enabled. That is a double no in the sentence. Look above you wrote - so I mean, but I thought that you have done with by setting a central rule.
[...]
There is a way If you have a pop3-server and wants to give it free to inside and to outside. I have forgotten the problem of the unroutable ipadresses in the lan (normal way by using a firewall). In this case you can use a pop3-proxy. For example you have an exchangeserver (it want to be pdc or bdc) in your company that is placed in your lan so you have to move the mails into the lan. For securityreasons I selve don't like a nt- or w2k-domain that is routed through a firewall. I prefer to put the above mentioned proxy in the DMZ that forwards mails (smtp-server) to the MS Exchange and build a door to your internal pop3-server (MS Exchange). Such a software is sambar (http://www.sambar.com) - that is a different on to the filserver samba. To run sambar you need windows. Regards, Ruprecht
Maybe you should try to connect some of these ports with telnet. So you can see if where something went wrong. e.g. telnet <IP-of-your-machine> 21 should give something like that among other messages: 220 ProFTPD 1.2.2 Server (powered by SuSE Linux) where telnet <IP-of-your-machine> 13 should be rejected telnet: connect to address <IP-address>: Connection refused when you are not running a daytime-service... You should especially check the ports you definitivly run services on! And maybe you should look at your process status (ps -fax) which services do run on the machine? -- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216 On Wed, 27 Nov 2002, Volker Spies wrote:
Hallo,
I have problems with my ipchains firewall.
When I run a portscan with nmapwin to my linux box form the internet it shows me the following ports as open:
7/tcp open echo 9/tcp open discard [many lines deleted...]
The only services that are running to the outside
Sshd Httpd Ftpd
There are other services but not reachable form outside:
Smtp Imap Squid Webmin
The rest is definitely blocked by the firewall rules (only to outside interface). The firewall log shows that the ports are blocked. I see the portscan and I see that, for example, Port 25 is denied.
Wired: On Port 10000 i've webmin running only reachable from the inside. Why does nmap show snet-sensor-mgmt ???? It's only a table (e.g. /etc/services)... and ports >1023 are more or less free to use.
Why shows nmapwin (and other port scanners) that so many ports are in the state OPEN???
By the way when I start nmap locally on the firewall then it shows the correct ports open
Sshd Httpd Ftpd Smtp Imap Squid webmin
participants (4)
-
David Huecking -
Ruprecht Helms -
Steffen Dettmer -
Volker Spies