Re: [SLUG] Question about firewalls and ports.

From: Ian C. Blenke (icblenke@nks.net)
Date: Mon Apr 22 2002 - 10:34:07 EDT


On Mon, 2002-04-22 at 12:00, William R Coulter wrote:
> I am kinda young in the LINUX world and I have lots of questions to ask.
> So, I thought this was the best place to ask them.
>
> I know that Red Hat comes with a firewall. When you activate it how do you
> know the firewall is blocking all of the ports. For example, if you want to
> block people from ftping to or from your site you tell the firewall to block
> ports 22 and 23 (something like that).

FTP uses TCP port 21 for the command channel, and port 20 for the data
channel

SSH uses TCP port 22, and Telnet uses TCP port 23.

For a pretty comprehensive list of UDP/TCP ports, check out
/etc/services, or browse through iana.org for a full list of protocols
and ports (RFC1700 is a pretty good list, but it's old. per RFC3232, the
full list of ports is "in a database" on the iana.org website).

        http://www.iana.org

> I understand that but what I don't
> understand is that there are more ports that are being used by the system
> and the system is waiting for a call by the programs using the ports.

Programs "listen" on ports. The easiest way to see what ports your
machine is listening on is to run netstat or lsof:

        $ netstat -an | grep LISTEN | less
or
        $ lsof -i -n | grep LISTEN | less

Netstat runs on just about anything with an IP stack (including
Windows!) You may need to install lsof on your Linux distribution - it's
usually an optional package.

> So,
> how do you know that ALL the ports are being blocked so that ONLY valid
> usage is being used and no hackers in your system?

Well, it depends on your kernel and which IP filtering toolset you are
using.

Linux 2.0 kernels use "ipfwadm"
Linux 2.2 kernels use "ipchains"
Linux 2.4 kernels use "iptables" (aka NetFilter)

Each method of IP filtering requires a different command line syntax:

        $ ipfwadm -I -l
        $ ipfwadm -O -l
        $ ipfwadm -F -l
        $ ipfwadm -M -l
or
        $ ipchains -L -n
or
        $ ipfilter -L -n

These commands will list your current IP filtering rules.

Testing wether a port is blocked or not depends on the IP filtering
method as well:

To test wether inbound FTP is blocked, you might use:

        $ ipfwadm -c -I -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 21 -y

        $ ipchains -C -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -p TCP 21 -y

AFAIK, iptables doesn't implement a check option yet.

The *best* way to test your firewall, however, is to run nmap or another
port scanner from the outside. It also helps to try some esoteric
firewalking tools and other intensive traffic spoofers to see if your
rulesets hold up.

Don't get me wrong, true Firewalling can be a real chore - and it's not
something simple that everyone can understand without a great deal of
effort. Even so called Firewall eperts can really muck up a firewall
accidentally without realizing it.

- Ian C. Blenke <icblenke@nks.net> <ian@blenke.com>
http://ian.blenke.com



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:25:03 EDT