Re: [suse-security] FW port 113 keeps open
On Fri, 13 September 2002, Peter Wiersig wrote: Beyond the discussion of why I should leave port 113 open my problem is that I am not able to configure the FW to reject connections to this port.
The firewall rules you listed above should close the port On The Firewall machine itself.
I would recommend that you leave the port open so that you will not have to endure the hang period.
Now I wonder... do you mean it is mandatory to have
identd opened???
Regards,
Pep.
Pep Serrano
Beyond the discussion of why I should leave port 113 open my problem is that I am not able to configure the FW to reject connections to this port.
Maybe you cannot follow the answers. The fact ist your portscan showed port 113 closed. If you read the /sbin/SuSEfirewall2 and look for the variable $REJECT you will see it is changed to DROP. There are different Policies. You want block traffic. If you say reject instead of drop the connection hangs on that port. The rule you are talking about is - like said before - essentially needed by the smtp-server. If you say reject your mails will last for ages, until send. The port is definitely closed. If you want to have the most scanns banned you should deactivate ping (and traceroute) in the firewall-config. With this only "nmap -sS -P0 <ip>" like scans will succseed. Other scans icmp packets will get rejected and the scan lasts for ages! :-) If you don't believe read about the netfilter techniques. This is a standard rule you will find on every kind of firewall, without ident used. Maybe you opened idend on localhost and found it open locally. Deactivate it - it is not needed by the smtp-server because of this --reject-with-tcp-reset tag! Philippe
Pep wrote:
Now I wonder... do you mean it is mandatory to have identd opened??
Unless you specifically enable 113, it is not open to outside connections, it treats it differently so that your system works. The difference is whether it DROPS the packets, or it answers by REJECTing the packet. If it DROPS, there is no answer at all, and any messages to ident will timeout, slowing you down. If it answers by REJECTing, the other server gives up INSTEAD of timing out. IIRC, you could change this by editing the firewall script, but I would suggest leaving it closed as per default, which is to REJECT, rather than to DROP. -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.
participants (3)
-
Joe & Sesil Morris (NTM)
-
Pep
-
Philippe Vogel