Re: [SLUG] Question about firewalls and ports.

From: Russell Hires (rhires@earthlink.net)
Date: Tue Apr 23 2002 - 20:52:01 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, for certain ports you turn things off. Such as telnet. (Port 23) No
service, no getting through. Doesn't matter what your firewall rules are.

Did you look at the link I sent in my previous email? Did that make sense?
The information below is useful to know, since you're responsible for your
security policy, and like some other things, the more you know, the better it
is.

Have you checked the Firewall Howto at the Linux Documentation Project?

Russell

On Tuesday 23 April 2002 19:49 pm, you wrote:
> That is great but how do I block them from being used? I know that the
> firewall can be setup to block stuff but do I have so specify all the ports
> or just the ones that I want to go in and out?
>
> William
>
> -----Original Message-----
> From: slug@lists.nks.net [mailto:slug@lists.nks.net]On Behalf Of Ian C.
> Blenke
> Sent: Monday, April 22, 2002 7:34 AM
> To: slug@nks.net
> Subject: Re: [SLUG] Question about firewalls and ports.
>
> On Mon, 2002-04-22 at 12:00, William R Coulter wrote:
> > I am kinda young in the LINUX world and I have lots of questions to ask.
> > So, I thought this was the best place to ask them.
> >
> > I know that Red Hat comes with a firewall. When you activate it how do
>
> you
>
> > know the firewall is blocking all of the ports. For example, if you want
>
> to
>
> > block people from ftping to or from your site you tell the firewall to
>
> block
>
> > ports 22 and 23 (something like that).
>
> FTP uses TCP port 21 for the command channel, and port 20 for the data
> channel
>
> SSH uses TCP port 22, and Telnet uses TCP port 23.
>
> For a pretty comprehensive list of UDP/TCP ports, check out
> /etc/services, or browse through iana.org for a full list of protocols
> and ports (RFC1700 is a pretty good list, but it's old. per RFC3232, the
> full list of ports is "in a database" on the iana.org website).
>
> http://www.iana.org
>
> > I understand that but what I don't
> > understand is that there are more ports that are being used by the system
> > and the system is waiting for a call by the programs using the ports.
>
> Programs "listen" on ports. The easiest way to see what ports your
> machine is listening on is to run netstat or lsof:
>
> $ netstat -an | grep LISTEN | less
> or
> $ lsof -i -n | grep LISTEN | less
>
> Netstat runs on just about anything with an IP stack (including
> Windows!) You may need to install lsof on your Linux distribution - it's
> usually an optional package.
>
> > So,
> > how do you know that ALL the ports are being blocked so that ONLY valid
> > usage is being used and no hackers in your system?
>
> Well, it depends on your kernel and which IP filtering toolset you are
> using.
>
> Linux 2.0 kernels use "ipfwadm"
> Linux 2.2 kernels use "ipchains"
> Linux 2.4 kernels use "iptables" (aka NetFilter)
>
> Each method of IP filtering requires a different command line syntax:
>
> $ ipfwadm -I -l
> $ ipfwadm -O -l
> $ ipfwadm -F -l
> $ ipfwadm -M -l
> or
> $ ipchains -L -n
> or
> $ ipfilter -L -n
>
> These commands will list your current IP filtering rules.
>
> Testing wether a port is blocked or not depends on the IP filtering
> method as well:
>
> To test wether inbound FTP is blocked, you might use:
>
> $ ipfwadm -c -I -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 21 -y
>
> $ ipchains -C -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -p TCP 21 -y
>
> AFAIK, iptables doesn't implement a check option yet.
>
> The *best* way to test your firewall, however, is to run nmap or another
> port scanner from the outside. It also helps to try some esoteric
> firewalking tools and other intensive traffic spoofers to see if your
> rulesets hold up.
>
> Don't get me wrong, true Firewalling can be a real chore - and it's not
> something simple that everyone can understand without a great deal of
> effort. Even so called Firewall eperts can really muck up a firewall
> accidentally without realizing it.
>
> - Ian C. Blenke <icblenke@nks.net> <ian@blenke.com>
> http://ian.blenke.com

- --
Linux -- the OS for the Renaissance Man
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8xgGxAqKGrvVshJQRAsSRAJ9JyqsGq4rhVQrcLkYUfgql17s6IgCfdRhk
nbXmjnftXVUzTGIhSrByTww=
=Avac
-----END PGP SIGNATURE-----

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:29:02 EDT