Re: Port #'s for Firewall

[Networkologist]

I just tried configuring a new firewall that was mentioned here:

APF Firewall

I was able to access WHM, cpanel, name based sites, but not IP based sites.

There was a response to my config problems that "Per the iptables man page, you can fit 15 ports into the multiport option; that APF use"

Before I reveret back to tryin KISS, does this apply to all firewalls
'cause from threads on this forum my config looks like this:

# Common TCP Ports
TCP_CPORTS="20,21,22,25,53,80,110,143,443,465"
TCP_CPORTS=2"993,995,2080,2081,2082,2083,2084,2085,2086,2087"
TCP_CPORTS=3"2088,2089,2090,2091,2092,2093,2094,2095,2096,2097"
TCP_CPORTS=4"2098,2099,3306"

[Networkologist]

30 ports can be added in their default config file and the rest thru

a separate tcp.rules file.

[rfxn]

This applies to an older version of APF. The current relase (http://www.r-fx.net/apf.php) supports a single TCP/UDP_CPORTS line with unlimited value.

So you should no longer break it up into multiple lines.
e.g:
TCP_CPORTS="21,22,25,53,80,110,143,443,465,993,995,2080,2081,2082,2083,2084,2085,2086,2087,2088,2089,2090,2091,2092,2093,2094,2095,2096,2097,2098,2099,3306"
UDP_CPORTS="53"

Ensure the large TCP_CPORTS= line is all on one line and no line breaks present.

[FWC]

Originally posted by rfxn
This applies to an older version of APF. The current relase (http://www.r-fx.net/apf.php) supports a single TCP/UDP_CPORTS line with unlimited value.

So you should no longer break it up into multiple lines.
e.g:
TCP_CPORTS="21,22,25,53,80,110,143,443,465,993,995,2080,2081,2082,2083,2084,2085,2086,2087,2088,2089,2090,2091,2092,2093,2094,2095,2096,2097,2098,2099,3306"
UDP_CPORTS="53"

Ensure the large TCP_CPORTS= line is all on one line and no line breaks present.

The latest APF is great. I've installed it on all of my servers with no problem at all. I did add ports 37 and 873 to both TCP and UDP to make sure rdate and rsync work, since Cpanel uses them. And in case anybody is wondering, bandmin is compatible.

[rfxn]

i released 0.8.4 tonight but if its working for you i dont see a need to upgrade whatever version you got

"dont fix what is not broken"

Thanks for the notes on rsync/rdate and bandmin compliance.

APF 0.8.4 Availible at:
http://www.r-fx.net/downloads/apf-current.tar.gz
http://www.r-fx.net/downloads/apf-current.rpm

APF Home page: http://www.r-fx.net/apf.php

- 0.8.4:
[Change] moved default policy for udp to bottom of main firewall script
[Change] removed header comments from vnetgen.def
[New] added ipt_string.o verification check before loading iptsnort rules
[Fix] fixed iptsnort and looping issues; causing init start to never complete
[Change] revised whole iptsnort system; now logs chains before drop
[Fix] added ipt_limit.o verfication for ftp port; otherwise default no ipt_limit
[Fix] corrected typo in DEVM cronjob
[Fix] revised DEVM feature to write directly to crontab; cron.d proved unreliable
[Change] revised install.sh

[ServerIntelligence]

Before I consider installing this firewall. I have checked my RPM's and I see that the following is installed:

ipchains
iproute
iptables


Would it be advisable to de-install these first not to cause a conflict and if so what is the best way and how to de-install them.

Regards,

Brian

[jamesbond]

Originally posted by ServerIntelligence
Before I consider installing this firewall. I have checked my RPM's and I see that the following is installed:

ipchains
iproute
iptables


Would it be advisable to de-install these first not to cause a conflict and if so what is the best way and how to de-install them.

Regards,

Brian

I don't think there is a need to remove iproute, but it is not recommended to have iptables and ipchains running together.

To disable ipchains:

1. chkconfig --level 0123456 ipchains off

2. /etc/rc.d/init.d/ipchains stop

3. rmmod ipchains

[ServerIntelligence]

Thanks M8,
I also have installed bastille-firewall and psad, what is the best method in de-installing these as well.

I only want one firewall installed.

Regards,

Brian

Originally posted by jamesbond
I don't think there is a need to remove iproute, but it is not recommended to have iptables and ipchains running together.

To disable ipchains:

1. chkconfig --level 0123456 ipchains off

2. /etc/rc.d/init.d/ipchains stop

3. rmmod ipchains

[ServerIntelligence]

I ran the above and received the following errors:~

root@server7 [~]# /etc/rc.d/init.d/ipchains stop
Flushing all chains: ipchains: Incompatible with this kernel
[FAILED]
Removing user defined chains: ipchains: Incompatible with this kernel
[FAILED]
Resetting built-in chains to the default ACCEPT policy:ipchains: Protocol not available
[FAILED]
root@server7 [~]# rmmod ipchains
rmmod: module ipchains is not loaded
root@server7 [~]

So does this tell me Iam not running or have installed IPchains?

Regards

[jamesbond]

Originally posted by ServerIntelligence
I ran the above and received the following errors:~

root@server7 [~]# /etc/rc.d/init.d/ipchains stop
Flushing all chains: ipchains: Incompatible with this kernel
[FAILED]
Removing user defined chains: ipchains: Incompatible with this kernel
[FAILED]
Resetting built-in chains to the default ACCEPT policy:ipchains: Protocol not available
[FAILED]
root@server7 [~]# rmmod ipchains
rmmod: module ipchains is not loaded
root@server7 [~]

So does this tell me Iam not running or have installed IPchains?

Regards

That's correct.

As for removing bastille, I can't help you with that since I've never used bastille myself.
I did hear that uninstalling bastille can be a pain sometimes.

[ServerIntelligence]

Found out how to de-install Bastille, here below is what I did:~

/etc/rc.d/init.d/bastille-firewall stop
cd /etc/rc.d/init.d
rm -f bastille-firewall
rm -f psad
cd /etc/Bastille/
rm -f *.*
cd firewall.d/cd pre-audit.d/
rm -f pre-audit.sh
cd..
cd ..
rmdir pre-audit.d/
cd ..
rmdir firewall.d/
rm -f config
cd ..
rmdir Bastille
/sbin/reboot


Works 100%

Regards and now installing APF Firewall

Thanks,

Brian

Originally posted by jamesbond
That's correct.

As for removing bastille, I can't help you with that since I've never used bastille myself.
I did hear that uninstalling bastille can be a pain sometimes.

[ServerIntelligence]

Installed APF and now cant get anything at all, no sites, no access to whm or via SSH.

What now?

HELP!

Brian

[jamesbond]

Originally posted by ServerIntelligence
Installed APF and now cant get anything at all, no sites, no access to whm or via SSH.

What now?

HELP!

Brian

You locked yourself out. There is nothing you can do remotely.
I guess you should contact your NOC and explain that you locked yourself out, they can disable the firewall for you.

[ServerIntelligence]

Ok,
Im back in now after a reboot. Can someone say what ports to have open and what to edit and turn on in the config file please.

Im now to affraid to re start the firewall just in case it locks me out again.

Regards.

[FWC]

Originally posted by ServerIntelligence
Ok,
Im back in now after a reboot. Can someone say what ports to have open and what to edit and turn on in the config file please.

Im now to affraid to re start the firewall just in case it locks me out again.

Regards.

Make sure you have DEV mode set to 1 in conf.apf:

DEVM="1"

You can't lock yourself out for more than 5 minutes that way. Set it to 0 and restart APF once you know everything is working.

If you want to allowing pinging uncomment the line near the bottom of icmp.rules.

I don't have the AntiDOS, IPT Snort or Dshield functions turned on yet. I have read where some people got locked out by Dshield being on, but others say they have had no trouble. I also deleted /etc/cron.hourly/fw since I'm not using Dshield and I'll just restart APF if I bind any new IP's.

For ports I have the following. They seem to work:

TCP_CPORTS="21,22,25,26,37,53,80,110,143,443,465,783,873,993,995,2082,2083,2086,2087,2095,2096,3306,6666,7786"

UDP_CPORTS="37,53,873"

Add IP's you want to ban to drop_hosts.rules.

Run /etc/rc.d/init.d/bandin start after loading APF if you don't want to wait for the cron job to pick it up.