IPFW firewall rules for Cpanel on FreeBSD server

**daniele81** · 12-05-2004 03:22 PM

Hi all,

i have a Opteron FreeBSD server with Cpanel and i'm securing my server using IPFW firewall.
I wrote a working draft with some rules you can use for secure your FreeBSD server using IPFW.

It's only a working draft of rules. Comment and suggestion are REALLY appreciated.

#!/bin/sh

# IPFW - Firewall rules for CPANEL servers on FreeBSD
# (working draft)

# variables
ME="your_server_ip_here"
SSH_PORT="22"
CMD="ipfw add"

# flush rules
ipfw -f flush

# blocking some attacks

# RFC 1918 and others illegal subnet
$CMD deny ip from 0.0.0.0/8 to any
$CMD deny ip from 10.0.0.0/8 to any
$CMD deny ip from 169.254.0.0/16 to any # MS dhcp default address
$CMD deny ip from 172.16.0.0/12 to any
$CMD deny ip from 192.0.2.0/24 to any # reserved for docs
$CMD deny ip from 192.168.0.0/16 to any
$CMD deny ip from 204.152.64.0/23 to any # SUN cluster interconnect
$CMD deny ip from 240.0.0.0/4 to any

# blocking illegal routing
$CMD deny ip from any to any ipoptions rr
$CMD deny ip from any to any ipoptions ts
$CMD deny ip from any to any ipoptions lsrr
$CMD deny ip from any to any ipoptions ssrr

# blocking operating system type sniffing by Nmap
$CMD deny tcp from any to any tcpflags syn,fin
$CMD deny tcp from any to any tcpflags syn,rst

# blocking others miscellaneous attack
$CMD deny tcp from any 0 to any
$CMD deny tcp from any to any 0
$CMD deny udp from any 0 to any
$CMD deny udp from any to any 0

# egress filtering

# no comment
$CMD allow ip from $ME to any keep-state

# no comment
$CMD deny ip from $ME to any

# ingress filtering

# SSH access granted
$CMD allow tcp from any to $ME $PORTA_SSH

# TCP ports for CPANEL
$CMD allow tcp from any to $ME 20
$CMD allow tcp from any to $ME 21
$CMD allow tcp from any to $ME 25
$CMD allow tcp from any to $ME 53
$CMD allow tcp from any to $ME 80
$CMD allow tcp from any to $ME 110
$CMD allow tcp from any to $ME 143
$CMD allow tcp from any to $ME 443
$CMD allow tcp from any to $ME 465
$CMD allow tcp from any to $ME 993
$CMD allow tcp from any to $ME 995
$CMD allow tcp from any to $ME 2082
$CMD allow tcp from any to $ME 2083
$CMD allow tcp from any to $ME 2086
$CMD allow tcp from any to $ME 2087
$CMD allow tcp from any to $ME 2095
$CMD allow tcp from any to $ME 2096
$CMD allow tcp from any to $ME 3306
$CMD allow tcp from any to $ME 6666

# UDP ports for CPANEL
$CMD allow udp from any to $ME 21
$CMD allow udp from any to $ME 53
$CMD allow udp from any to $ME 465
$CMD allow udp from any to $ME 873

# ICMP types 3,5,8,11,0,30 allowed
CMD allow icmp from any to $ME icmptypes 3,5,8,11,0,30

# deny all others
$CMD deny log ip from any to $ME

**cpdan** · 02-22-2005 03:59 PM

Very nice

1) Your second to last command is missing a $ (just FYI

)

2)If you:
# ipfw enable firewall
and then run that script and I get a ton of:
ipfw: getsockopt(IP_FW_ADD): Protocol not available

You need to compile IPF into your kernel (see FreeBSD and Google for the options you need to use)

options IPFIREWALL
options IPDIVERT
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFILTER
options IPFILTER_LOG
options TCPDEBUG
options TCP_DROP_SYNFIN
#options ICMP_BANDLIM
options DUMMYNET
options IPSTEALTH

http://www.freebsd.org/doc/en_US.ISO...-building.html

**cpdan** · 02-22-2005 05:40 PM

Also find that adding
ipfw enable firewall
before ipfw -f flush for good measure is a good idea and I like to comment out port 2082 and 2086 if I want to ensure the login info is all done via SSH

**cpdan** · 02-22-2005 08:08 PM

If I use the above with port 2086 commented out, I can still connect to http:/whatever:2086

Make sure
options IPFIREWALL_DEFAULT_TO_ACCEPT
is not in or commented out of your kernel

**cpdan** · 02-23-2005 09:59 AM

There's also a few ports missing, just FYI. Have a look at faq.cpanel.net for details,

Besides that do those commands work for you? It freezes me out when I try them. The only way to get access is go in via direct console instead of SSH and reboot so that those rules are not applied.

What kernel options do you have that allows those to work?

**cpdan** · 02-23-2005 10:50 AM

Those rules don't work do no use them

**daniele81** · 02-23-2005 10:54 AM

Yes, i will post the new ruleset.
Try it, if you want.

**daniele81** · 02-23-2005 10:57 AM

I wrote a new ruleset for IPFW on a Cpanel server. This is only a draft, but is working for me.
Comments are in italian, i apologize for my english.

#!/bin/sh

# Firewall rules IPFW

# Definitions
ME="_your_server_ip_here_"
ADMIN="_your_static_ip_here_"
PORTA_SSH="_your_custom_ssh_port_here_"
DNS1="_your_dns_ip_here_"
DNS2="_your_dns_ip_here_"
NS2="_your_secondary_ns_ip_here_"
CMD="ipfw add"

# flush all rules
ipfw -f flush

# ADMINISTRATIVE PERMS

# il server accetta dati provenienti dal mio ip
$CMD allow ip from $ADMIN to $ME

# il server può inviare dati verso il mio ip
$CMD allow ip from $ME to $ADMIN

# PERMESSI VERSO SE STESSO

# il server può sempre collegarsi a se stesso
$CMD allow ip from 127.0.0.1 to 127.0.0.1

# SERVIZI INTERNI
# (lista da completare e verificare)

# porte dei servizi standard
$CMD allow tcp from any to $ME 80 keep-state
$CMD allow ip from any to $ME 25 keep-state
$CMD allow tcp from any to $ME 110 keep-state
$CMD allow udp from any to $ME 53 keep-state
$CMD allow tcp from any to $ME 3306 keep-state

# porte dei servizi di cpanel
$CMD allow ip from any to $ME 2095 keep-state
$CMD allow ip from any to $ME 2082 keep-state
$CMD allow ip from any to $ME 2083 keep-state
$CMD allow ip from any to $ME 2086 keep-state
$CMD allow ip from any to $ME 2087 keep-state

# servizio ftp
$CMD allow tcp from any to $ME 20,21 keep-state
$CMD allow tcp from any to $ME 49152-65535 keep-state

# SERVIZI ESTERNI
# (lista da completare e verificare)

# il server può collegarsi alla porta 25
$CMD allow ip from $ME to any 25 keep-state

# il server può aprire connessioni ftp
$CMD allow ip from $ME to any 21 keep-state

# il server può aprire connessioni http
$CMD allow ip from $ME to any 80 keep-state

# il server può fare query dns
$CMD allow udp from $ME to $DNS1 53 keep-state
$CMD allow udp from $ME to $DNS2 53 keep-state

# il server può aggiornare il NS2 remoto
$CMD allow ip from $ME to $NS2 2087 keep-state

# il server può sincronizzare la licenza di Cpanel
$CMD allow ip from any to $ME 2089 keep-state
$CMD allow ip from any to $ME 873 keep-state
$CMD allow ip from $ME to any 2089 keep-state
$CMD allow ip from $ME to rdate.cpanel.net keep-state

# il server può collegarsi ai servizi di aggiornamento di Cpanel
$CMD allow ip from any to layer2.cpanel.net keep-state
$CMD allow ip from any to rsync.cpanel.net keep-state
$CMD allow ip from any to httpupdate.cpanel.net keep-state
$CMD allow ip from any to cpanel.net keep-state
$CMD allow ip from any to layer1.cpanel.net keep-state

# CHIUSURE FINALI

# il server blocca qualsiasi altra cosa in entrata ed in uscita
$CMD deny log ip from any to any

**aboyz** · 05-07-2005 07:51 PM

hi anyone using this and does this work?

**daniele81** · 05-08-2005 12:51 PM

This is working for me. You can do better, but is a point of start.

#!/bin/sh

# Firewall Ruleset
# Philosopy: "First close, then open"

# Variables
ME="YOUR_SERVER_IP_HERE"
ADMIN="YOUR_WORKSTATION_IP_HERE"
ADMIN2="YOUR_WORKSTATION2_IP_HERE"
PORTA_SSH="YOUR_CUSTOM_SSH_PORT_HERE"
DNS1="PRIMARY_DNS"
DNS2="SECONDARY_DNS"
NS2="SECONDARY_DNS_IN_A_CLUSTER_(IF ANY)"
CMD="ipfw add"

# flush all previous rules
ipfw -f flush

# ADMINISTRATIVE ACCESS

# the server allow incoming data from my IP
$CMD allow ip from $ADMIN to $ME

# the server allow outbonding data to my IP
$CMD allow ip from $ME to $ADMIN

# ADMINISTRATIVE ACCESS 2

# the server allow incoming data from my IP
$CMD allow ip from $ADMIN2 to $ME

# the server allow outbonding data to my IP
$CMD allow ip from $ME to $ADMIN2

# AUTOACCESS PERMITTED

# the server can send/receive data from him-self
$CMD allow ip from 127.0.0.1 to 127.0.0.1

# INTERNAL SERVICES
# (this list must be checked and completed)

# standard services ports
$CMD allow tcp from any to $ME 80 keep-state
$CMD allow ip from any to $ME 25 keep-state
$CMD allow tcp from any to $ME 110 keep-state
$CMD allow udp from any to $ME 53 keep-state
$CMD allow tcp from any to $ME 3306 keep-state

# cpanel services ports
$CMD allow ip from any to $ME 2095 keep-state
$CMD allow ip from any to $ME 2082 keep-state
$CMD allow ip from any to $ME 2083 keep-state
$CMD allow ip from any to $ME 2086 keep-state
$CMD allow ip from any to $ME 2087 keep-state

# ftp service
$CMD allow tcp from any to $ME 20,21 keep-state
$CMD allow tcp from any to $ME 49152-65535 keep-state

# EXTERNAL SERVICES
# (this list must be checked and completed)

# the server can reach 25 ports
$CMD allow ip from $ME to any 25 keep-state

# the server can access to others FTP servers
$CMD allow ip from $ME to any 21 keep-state

# the server can access to others HTTP servers
#$CMD allow ip from $ME to any 80 keep-state

# the server can send DNS query
$CMD allow udp from $ME to $DNS1 53 keep-state
$CMD allow udp from $ME to $DNS2 53 keep-state

# the server can syncronize remote DNS on a cluster (IF ANY)
$CMD allow ip from $ME to $NS2 2087 keep-state

# rules for Cpanel license
$CMD allow ip from any to $ME 2089 keep-state
$CMD allow ip from any to $ME 873 keep-state
$CMD allow ip from $ME to any 2089 keep-state
$CMD allow ip from $ME to rdate.cpanel.net keep-state

# rules Cpanel updates
$CMD allow ip from any to layer2.cpanel.net keep-state
$CMD allow ip from any to rsync.cpanel.net keep-state
$CMD allow ip from any to httpupdate.cpanel.net keep-state
$CMD allow ip from any to cpanel.net keep-state
$CMD allow ip from any to layer1.cpanel.net keep-state

# FINAL CLOSE

# the server will reject any other data
$CMD deny log ip from any to any

**easyhoster1** · 05-08-2005 03:36 PM

Originally Posted by cpdan

Those rules don't work do no use them

Dan...did you try the new ruleset? Also, anyone have it in English?

**daniele81** · 05-08-2005 03:40 PM

Hi Easy,

yes, the new ruleset is active on my server from february with no big trouble. I think this is not a very good ruleset, but is something working. I hope someone can suggest how we can do better (my english is very ridiculous, sorry).

Now, i try to translate the ruleset...

**daniele81** · 05-08-2005 04:03 PM

I hope the "english" translation is little better. My english is very poor, sorry.

**capoti** · 04-23-2008 07:19 PM

Are these rules any good? can I use'em on my freebsd 6.0 with cpanel 11? thank you guys

**nyjimbo** · 04-23-2008 08:18 PM

Originally Posted by capoti

Are these rules any good? can I use'em on my freebsd 6.0 with cpanel 11? thank you guys

These rules are about 3 years old, most of them look ok but I am sure there are new ports and other things to consider I wouldnt put them into place until you check it out line by line.
We use IPFW on all our freebsd boxes but make up the rules as we go along.

LinkBack

Thread Tools

IPFW firewall rules for Cpanel on FreeBSD server

new ruleset

New rules (on italian, sorry)

does this work

Is working for me...

Rules in english: i try to translate

Ruleset in english

How to Block Port 25 Spam in FreeBSD IPFW

Where is the documentation for portsentry and iptables firewall rules in the most cur

whm cpanel and default firewall rules

Firewall rules keep getting changed automatically

cPanel firewall rules.. ??