Re: Running processes...
[EMAIL PROTECTED] (Uwe Klann) writes: in the message Running processes fom Sat Feb 14 08:26:45 PST2004 it is writen in the artical that IPFILTER sample rule is available. I am interested to get a copy. Thank you. You mean like /usr/share/examples/ipfilter/* ? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running processes...
[EMAIL PROTECTED] (Uwe Klann) wrote: Hi JJB, in the message Running processes fom Sat Feb 14 08:26:45 PST2004 it is writen in the artical that IPFILTER sample rule is available. I am interested to get a copy. Thank you. I think you've got the wrong address. This is the FreeBSD questions mailing list, and I don't think anyone here understands which message you're talking about. If you provide more details, I'm sure someone can help. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running processes...
At 2004-02-14T12:42:55Z, Eric F Crist [EMAIL PROTECTED] writes: I mainly need to get rid of 783, 587. What are those anyways? 587 is half of the new Sendmail install - the submission function runs as a seperate process listening on its own !25 port. Also, what's the name of that app that basically makes all ports appear open and logs connection attempts? I think you just described IIS and Exchange, except that they don't log so well... -- Kirk Strauser 94 outdated ports on the box, 94 outdated ports. Portupgrade one, an hour 'til done, 82 outdated ports on the box. pgp0.pgp Description: PGP signature
RE: Running processes...
This port map is only showing you what ports are open to accept start requests from the public internet. Looks like you are using IPFW with stateless rules which just provides an very basic level of security. Use stateful rules with 'out' and 'via' keywords to separate your firewall into out bound control where you allow all these ports listed below out to the public internet. Then for the inbound side use stateful rules with 'in' and 'via' keywords allowing in only the ports that you have servers running on. That will close all those listed ports to inbound availability. If you have LAN behind your gateway and using ipfw with divert rule legacy sub-routine call to userland Natd then stateful rules do not work because of legacy bug in basic concept design of this process. Use IPFILTER, it's stateful rules work in Nated environment and as such provides an much highter level of security than IPFW can provide in an Nated environment. I have IPFILTER sample rule set if you are interested. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric F Crist Sent: Saturday, February 14, 2004 7:43 AM To: FreeBSD questions List Subject: Running processes... Hello list, Which of the processes can I safely block from the internet via ipfw? Here's an nmap output from one of my servers. I would really like to tame this down: Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-14 06:41 CST Interesting ports on localhost (127.0.0.1): (The 1646 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 443/tcp open https 587/tcp open submission 783/tcp open hp-alarm-mgr 3306/tcp open mysql 6667/tcp open irc 6668/tcp open irc /tcp open abyss Nmap run completed -- 1 IP address (1 host up) scanned in 9.730 seconds Port is an irc port for server connections, for anyone who's wondering what that's doing there. I mainly need to get rid of 783, 587. What are those anyways? Also, what's the name of that app that basically makes all ports appear open and logs connection attempts? Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running processes...
On Saturday 14 February 2004 10:26 am, JJB wrote: This port map is only showing you what ports are open to accept start requests from the public internet. Looks like you are using IPFW with stateless rules which just provides an very basic level of security. Use stateful rules with 'out' and 'via' keywords to separate your firewall into out bound control where you allow all these ports listed below out to the public internet. Then for the inbound side use stateful rules with 'in' and 'via' keywords allowing in only the ports that you have servers running on. That will close all those listed ports to inbound availability. If you have LAN behind your gateway and using ipfw with divert rule legacy sub-routine call to userland Natd then stateful rules do not work because of legacy bug in basic concept design of this process. Use IPFILTER, it's stateful rules work in Nated environment and as such provides an much highter level of security than IPFW can provide in an Nated environment. I have IPFILTER sample rule set if you are interested. Thanks for the reply. This is not a nated environment. For the time being, I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my own box. I guess my question was, what are those two services I listed? Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set? Here's my current ruleset: 00100 1622 256612 allow ip from any to any via lo0 002000 0 deny ip from any to 127.0.0.0/8 003000 0 deny ip from 127.0.0.0/8 to any 00600 3931 501305 allow ip from any to any 655350 0 deny ip from any to any This is obviously an very wide-open server right now. I'm guessing I should add some rules like the following? change 0600 to allow ip from any to any established add allow ip from any to server ip address port mail add allow ip from any to server ip address port ftp add allow ip from any to server ip address port irc1 add allow ip from any to server ip address port irc2 add allow ip from any to server ip address port irc3 add allow ip from any to server ip address port ssh add allow ip from any to server ip address port dns add allow ip from any to server ip address port 110 add allow ip from any to server ip address port 443 add deny ip from any to server ip address via dc0 port mysql add deny ip from any to server ip address The mysql, I assume, since the only thing accessing it should be my local web server, I don't need it to have public (inet) access? -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: Running processes...
On Saturday 14 February 2004 10:45 am, Eric F Crist wrote: Forgot to mention in regards to my basic network structure. As I've got 5 usable IP addresses, I've got a linksys wifi/router that does my basic network needs. i.e. my laptop is connected via wifi and they all share a private network (192.168.1.x), so that I'm not using real address space in the even of a lan part, that sort of thing. There are three other servers (two running, third on its way) with public, static IP addresses. This still leaves one free. The other two boxes are co-los for friends, and they're responsible for their own security. They want to learn freebsd on their own, so I'm going to let them. ;) As such, this is a firewall for my main server only. Again, thanks greatly to everyone who spends the time to help people on this list! -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: Running processes...
Eric F Crist wrote:
On Saturday 14 February 2004 10:26 am, JJB wrote:
This port map is only showing you what ports are open to accept
start requests from the public internet. Looks like you are using
IPFW with stateless rules which just provides an very basic level
of security. Use stateful rules with 'out' and 'via' keywords to
separate your firewall into out bound control where you allow all
these ports listed below out to the public internet. Then for the
inbound side use stateful rules with 'in' and 'via' keywords
allowing in only the ports that you have servers running on. That
will close all those listed ports to inbound availability. If you
have LAN behind your gateway and using ipfw with divert rule legacy
sub-routine call to userland Natd then stateful rules do not work
because of legacy bug in basic concept design of this process. Use
IPFILTER, it's stateful rules work in Nated environment and as such
provides an much highter level of security than IPFW can provide in
an Nated environment. I have IPFILTER sample rule set if you are
interested.
Thanks for the reply. This is not a nated environment. For the time being,
I've got DSL with a /29 network. I'm running DNS, Mail, etc right from my
own box. I guess my question was, what are those two services I listed?
Submission and hp-alrm-mgr? Are there any ipfw rules that I SHOULD set?
Here's my current ruleset:
00100 1622 256612 allow ip from any to any via lo0
002000 0 deny ip from any to 127.0.0.0/8
003000 0 deny ip from 127.0.0.0/8 to any
00600 3931 501305 allow ip from any to any
655350 0 deny ip from any to any
This is obviously an very wide-open server right now. I'm guessing I should
add some rules like the following?
change 0600 to allow ip from any to any established
add allow ip from any to server ip address port mail
add allow ip from any to server ip address port ftp
add allow ip from any to server ip address port irc1
add allow ip from any to server ip address port irc2
add allow ip from any to server ip address port irc3
add allow ip from any to server ip address port ssh
add allow ip from any to server ip address port dns
add allow ip from any to server ip address port 110
add allow ip from any to server ip address port 443
add deny ip from any to server ip address via dc0 port mysql
add deny ip from any to server ip address
The mysql, I assume, since the only thing accessing it should be my local web
server, I don't need it to have public (inet) access?
Sample FTP/SMTP/DNS/HTTP entry:
add allow tcp from any to {$me} in via ${oif} 22 setup
add allow tcp from any to {$me} in via ${oif} 25 setup
add allow tcp from any to {$me} in via ${oif} 53 setup
add allow tcp from any to {$me} in via ${oif} 80 setup
These must be paired with, later in list:
add allow tcp from any to {$me} established
HTH,
Kevin Kinsey
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Running processes...
On Saturday 14 February 2004 11:51 am, Kevin D. Kinsey, DaleCo, S.P. wrote:
Sample FTP/SMTP/DNS/HTTP entry:
add allow tcp from any to {$me} in via ${oif} 22 setup
add allow tcp from any to {$me} in via ${oif} 25 setup
add allow tcp from any to {$me} in via ${oif} 53 setup
add allow tcp from any to {$me} in via ${oif} 80 setup
These must be paired with, later in list:
add allow tcp from any to {$me} established
What does the setup do in these statements?
--
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588
pgp0.pgp
Description: signature
IPFW ruleset not working... advice? WAS Re: Running processes...
Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? You missed allowing IP packets going from your server to the outside. You only allow packets from the outside to you. I also think you might have misplaced the port numbers. As it is you allow connections *from* port 25 (etc.) on the outside to any port on your machine. I believe you want it the other way around (i.e. allowing connections *to* port 25 on your machine from anywhere on the outside.) grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Saturday 14 February 2004 12:58 pm, Erik Trulsson wrote: On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote: Hello all, I've got the following ruleset, but I can't ssh into my server anymore. What did I miss? You missed allowing IP packets going from your server to the outside. You only allow packets from the outside to you. I also think you might have misplaced the port numbers. As it is you allow connections *from* port 25 (etc.) on the outside to any port on your machine. I believe you want it the other way around (i.e. allowing connections *to* port 25 on your machine from anywhere on the outside.) grog# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 7 1562 allow ip from 1.2.3.4/29 to me 00500 0 0 allow ip from any 22 to me 00600 0 0 allow ip from any 21 to me 00700 0 0 allow ip from any 25 to me 00800 0 0 allow ip from any 80 to me 00900 0 0 allow ip from any 443 to me 01000 0 0 allow ip from any 110 to me 01100 0 0 allow ip from any 53 to me 01200 0 0 allow ip from any 6667 to me 01300 0 0 allow ip from any 6668 to me 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me 65535 101 13960 deny ip from any to any Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 Hey, thanks! I changed all the rules so they read: allow ip from any to me port and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make this system even tighter? Thanks. -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: IPFW ruleset not working... advice? WAS Re: Running processes...
On Sat, Feb 14, 2004 at 01:15:07PM -0600, Eric F Crist wrote: Hey, thanks! I changed all the rules so they read: allow ip from any to me port and added the rule: allow ip from me to any at rule 50 All seems to work now! Does anyone have any suggestions on how to make this system even tighter? Thanks. Yes. Use the stateful rules feature. Instead of opening up outgoing packets to everywhere, the keep-state rules dynamically open up a point to point connection that remains open while traffic is flowing beteeen the two systems, and times out after traffic stops or the connection is closed. A very minimal partial ruleset to allow incoming SSH, HTTP, HTTPS, SMTP and outgoing DNS lookups would look like: 00100 check-state 00200 deny log tcp from any to any established 00300 allow tcp from any to me 22,25,80,443 keep-state in recv fxp0 00400 allow udp from me to any 53 out xmit fxp0 00500 deny log ip from any to any [The 'in recv fxp0' and 'out xmit fxp0' stuff is optional: all it does is filter packets according to what interface they are traversing and in what direction. Remember to substitute the correct device name for your network interface.] Although at first sight, this would appear to block all tcp traffic except for the first 'SYN' packet, and not permit any incoming UDP traffic at all, the 'keep-state' flag in rules 00300 and 00400 generates dynamic rules that permit packets to flow in response to the packet that triggered them. Those rules are effectively inserted into the ruleset at the 'check-state' line (or at the first occuring 'limit' or 'keep-state' line). Use 'ipfw -d list' to show all active dynamic rules. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: Running processes as no root...
* Xpression: Hi list, I've recently installed some services (WWW, Proxy, FTP) on a FreeBSD-4.8 server, I read all documentation about running processes as no root, ok I agree about it, but every process still running with some user and group but each one have one process running like root, this is ok, or I dismiss something ??? Thanks... Usually there is one process owned by root, that is used for critical operation, but the others are forked from it and have their owner switched, to user 'www' as of Apache. To be able to write the log files, to switch user, and a few more operations, this is indeed achieved as root. All child processes are typically non-root. Cheers, -- Jean-Baptiste Quenot http://caraldi.com/jbq/ pgp0.pgp Description: PGP signature
