The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPFW firewall rules for Cpanel on FreeBSD server

Discussion in 'General Discussion' started by daniele81, Dec 5, 2004.

  1. daniele81

    daniele81 Member

    Joined:
    Aug 27, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hi all,

    i have a Opteron FreeBSD server with Cpanel and i'm securing my server using IPFW firewall.
    I wrote a working draft with some rules you can use for secure your FreeBSD server using IPFW.

    It's only a working draft of rules. Comment and suggestion are REALLY appreciated.

     
  2. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    Very nice :)

    1) Your second to last command is missing a $ (just FYI ;))

    2)If you:
    # ipfw enable firewall
    and then run that script and I get a ton of:
    ipfw: getsockopt(IP_FW_ADD): Protocol not available

    You need to compile IPF into your kernel (see FreeBSD and Google for the options you need to use)

    options IPFIREWALL
    options IPDIVERT
    options IPFIREWALL_FORWARD
    options IPFIREWALL_VERBOSE
    options IPFIREWALL_VERBOSE_LIMIT=100
    options IPFIREWALL_DEFAULT_TO_ACCEPT
    options IPFILTER
    options IPFILTER_LOG
    options TCPDEBUG
    options TCP_DROP_SYNFIN
    #options ICMP_BANDLIM
    options DUMMYNET
    options IPSTEALTH

    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
     
    #2 cPDan, Feb 22, 2005
    Last edited: Feb 22, 2005
  3. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    Also find that adding
    ipfw enable firewall
    before ipfw -f flush for good measure is a good idea and I like to comment out port 2082 and 2086 if I want to ensure the login info is all done via SSH
     
  4. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    If I use the above with port 2086 commented out, I can still connect to http:/whatever:2086

    Make sure
    options IPFIREWALL_DEFAULT_TO_ACCEPT
    is not in or commented out of your kernel :)
     
    #4 cPDan, Feb 22, 2005
    Last edited: Feb 22, 2005
  5. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    There's also a few ports missing, just FYI. Have a look at faq.cpanel.net for details,

    Besides that do those commands work for you? It freezes me out when I try them. The only way to get access is go in via direct console instead of SSH and reboot so that those rules are not applied.

    What kernel options do you have that allows those to work?
     
  6. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    Those rules don't work do no use them :)
     
  7. daniele81

    daniele81 Member

    Joined:
    Aug 27, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    new ruleset

    Yes, i will post the new ruleset.
    Try it, if you want.
     
  8. daniele81

    daniele81 Member

    Joined:
    Aug 27, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    New rules (on italian, sorry)

    I wrote a new ruleset for IPFW on a Cpanel server. This is only a draft, but is working for me.
    Comments are in italian, i apologize for my english.

     
    #8 daniele81, Feb 23, 2005
    Last edited: Feb 24, 2005
  9. aboyz

    aboyz Well-Known Member

    Joined:
    Sep 29, 2003
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    does this work

    hi anyone using this and does this work?
     
  10. daniele81

    daniele81 Member

    Joined:
    Aug 27, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Is working for me...

    This is working for me. You can do better, but is a point of start.

     
    #10 daniele81, May 8, 2005
    Last edited: May 8, 2005
  11. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    Dan...did you try the new ruleset? Also, anyone have it in English?
     
  12. daniele81

    daniele81 Member

    Joined:
    Aug 27, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Rules in english: i try to translate

    Hi Easy,

    yes, the new ruleset is active on my server from february with no big trouble. I think this is not a very good ruleset, but is something working. I hope someone can suggest how we can do better (my english is very ridiculous, sorry).

    Now, i try to translate the ruleset...
     
  13. daniele81

    daniele81 Member

    Joined:
    Aug 27, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Ruleset in english

    I hope the "english" translation is little better. My english is very poor, sorry.
     
  14. capoti

    capoti Active Member

    Joined:
    Mar 25, 2006
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Are these rules any good? can I use'em on my freebsd 6.0 with cpanel 11? thank you guys :)
     
  15. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    These rules are about 3 years old, most of them look ok but I am sure there are new ports and other things to consider I wouldnt put them into place until you check it out line by line.
    We use IPFW on all our freebsd boxes but make up the rules as we go along.
     
  16. capoti

    capoti Active Member

    Joined:
    Mar 25, 2006
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    i am afarid i am not good with fbsd rules and that's why i am asking if these rules are any good :eek:
    can you share the basic rules you have for a cpanel fbsd box? thank u v much
     
  17. capoti

    capoti Active Member

    Joined:
    Mar 25, 2006
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    any body? :)
     
Loading...

Share This Page