RE: [SLUG] Question about firewalls and ports.

From: William Reed Coulter (wreedc@mindspring.com)
Date: Tue Apr 23 2002 - 19:49:26 EDT


That is great but how do I block them from being used? I know that the
firewall can be setup to block stuff but do I have so specify all the ports
or just the ones that I want to go in and out?

William

-----Original Message-----
From: slug@lists.nks.net [mailto:slug@lists.nks.net]On Behalf Of Ian C.
Blenke
Sent: Monday, April 22, 2002 7:34 AM
To: slug@nks.net
Subject: Re: [SLUG] Question about firewalls and ports.

On Mon, 2002-04-22 at 12:00, William R Coulter wrote:
> I am kinda young in the LINUX world and I have lots of questions to ask.
> So, I thought this was the best place to ask them.
>
> I know that Red Hat comes with a firewall. When you activate it how do
you
> know the firewall is blocking all of the ports. For example, if you want
to
> block people from ftping to or from your site you tell the firewall to
block
> ports 22 and 23 (something like that).

FTP uses TCP port 21 for the command channel, and port 20 for the data
channel

SSH uses TCP port 22, and Telnet uses TCP port 23.

For a pretty comprehensive list of UDP/TCP ports, check out
/etc/services, or browse through iana.org for a full list of protocols
and ports (RFC1700 is a pretty good list, but it's old. per RFC3232, the
full list of ports is "in a database" on the iana.org website).

        http://www.iana.org

> I understand that but what I don't
> understand is that there are more ports that are being used by the system
> and the system is waiting for a call by the programs using the ports.

Programs "listen" on ports. The easiest way to see what ports your
machine is listening on is to run netstat or lsof:

        $ netstat -an | grep LISTEN | less
or
        $ lsof -i -n | grep LISTEN | less

Netstat runs on just about anything with an IP stack (including
Windows!) You may need to install lsof on your Linux distribution - it's
usually an optional package.

> So,
> how do you know that ALL the ports are being blocked so that ONLY valid
> usage is being used and no hackers in your system?

Well, it depends on your kernel and which IP filtering toolset you are
using.

Linux 2.0 kernels use "ipfwadm"
Linux 2.2 kernels use "ipchains"
Linux 2.4 kernels use "iptables" (aka NetFilter)

Each method of IP filtering requires a different command line syntax:

        $ ipfwadm -I -l
        $ ipfwadm -O -l
        $ ipfwadm -F -l
        $ ipfwadm -M -l
or
        $ ipchains -L -n
or
        $ ipfilter -L -n

These commands will list your current IP filtering rules.

Testing wether a port is blocked or not depends on the IP filtering
method as well:

To test wether inbound FTP is blocked, you might use:

        $ ipfwadm -c -I -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 21 -y

        $ ipchains -C -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -p TCP 21 -y

AFAIK, iptables doesn't implement a check option yet.

The *best* way to test your firewall, however, is to run nmap or another
port scanner from the outside. It also helps to try some esoteric
firewalking tools and other intensive traffic spoofers to see if your
rulesets hold up.

Don't get me wrong, true Firewalling can be a real chore - and it's not
something simple that everyone can understand without a great deal of
effort. Even so called Firewall eperts can really muck up a firewall
accidentally without realizing it.

- Ian C. Blenke <icblenke@nks.net> <ian@blenke.com>
http://ian.blenke.com



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:28:09 EDT