The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Re: Port #'s for Firewall

Discussion in 'General Discussion' started by Networkologist, Apr 3, 2003.

  1. Networkologist

    Networkologist Well-Known Member

    Joined:
    Feb 5, 2003
    Messages:
    209
    Likes Received:
    0
    Trophy Points:
    16
    I just tried configuring a new firewall that was mentioned here:

    APF Firewall

    I was able to access WHM, cpanel, name based sites, but not IP based sites.

    There was a response to my config problems that "Per the iptables man page, you can fit 15 ports into the multiport option; that APF use"

    Before I reveret back to tryin KISS, does this apply to all firewalls
    'cause from threads on this forum my config looks like this:

    # Common TCP Ports
    TCP_CPORTS="20,21,22,25,53,80,110,143,443,465"
    TCP_CPORTS=2"993,995,2080,2081,2082,2083,2084,2085,2086,2087"
    TCP_CPORTS=3"2088,2089,2090,2091,2092,2093,2094,2095,2096,2097"
    TCP_CPORTS=4"2098,2099,3306"
     
  2. Networkologist

    Networkologist Well-Known Member

    Joined:
    Feb 5, 2003
    Messages:
    209
    Likes Received:
    0
    Trophy Points:
    16
    So the answer is...

    30 ports can be added in their default config file and the rest thru

    a separate tcp.rules file.
     
  3. rfxn

    rfxn Active Member

    Joined:
    Apr 27, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    This applies to an older version of APF. The current relase (http://www.r-fx.net/apf.php) supports a single TCP/UDP_CPORTS line with unlimited value.

    So you should no longer break it up into multiple lines.
    e.g:
    TCP_CPORTS="21,22,25,53,80,110,143,443,465,993,995,2080,2081,2082,2083,2084,2085,2086,2087,2088,2089,2090,2091,2092,2093,2094,2095,2096,2097,2098,2099,3306"
    UDP_CPORTS="53"

    Ensure the large TCP_CPORTS= line is all on one line and no line breaks present.
     
  4. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    The latest APF is great. I've installed it on all of my servers with no problem at all. I did add ports 37 and 873 to both TCP and UDP to make sure rdate and rsync work, since Cpanel uses them. And in case anybody is wondering, bandmin is compatible.
     
  5. rfxn

    rfxn Active Member

    Joined:
    Apr 27, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    i released 0.8.4 tonight but if its working for you i dont see a need to upgrade whatever version you got :)

    "dont fix what is not broken"

    Thanks for the notes on rsync/rdate and bandmin compliance.

    APF 0.8.4 Availible at:
    http://www.r-fx.net/downloads/apf-current.tar.gz
    http://www.r-fx.net/downloads/apf-current.rpm

    APF Home page: http://www.r-fx.net/apf.php

    - 0.8.4:
    [Change] moved default policy for udp to bottom of main firewall script
    [Change] removed header comments from vnetgen.def
    [New] added ipt_string.o verification check before loading iptsnort rules
    [Fix] fixed iptsnort and looping issues; causing init start to never complete
    [Change] revised whole iptsnort system; now logs chains before drop
    [Fix] added ipt_limit.o verfication for ftp port; otherwise default no ipt_limit
    [Fix] corrected typo in DEVM cronjob
    [Fix] revised DEVM feature to write directly to crontab; cron.d proved unreliable
    [Change] revised install.sh
     
    #5 rfxn, Apr 27, 2003
    Last edited: Apr 27, 2003
  6. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Before I consider installing this firewall. I have checked my RPM's and I see that the following is installed:

    ipchains
    iproute
    iptables


    Would it be advisable to de-install these first not to cause a conflict and if so what is the best way and how to de-install them.

    Regards,

    Brian
     
  7. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I don't think there is a need to remove iproute, but it is not recommended to have iptables and ipchains running together.

    To disable ipchains:

    1. chkconfig --level 0123456 ipchains off

    2. /etc/rc.d/init.d/ipchains stop

    3. rmmod ipchains
     
  8. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Thanks M8,
    I also have installed bastille-firewall and psad, what is the best method in de-installing these as well.

    I only want one firewall installed.

    Regards,

    Brian



     
  9. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    I ran the above and received the following errors:~

    root@server7 [~]# /etc/rc.d/init.d/ipchains stop
    Flushing all chains: ipchains: Incompatible with this kernel
    [FAILED]
    Removing user defined chains: ipchains: Incompatible with this kernel
    [FAILED]
    Resetting built-in chains to the default ACCEPT policy:ipchains: Protocol not available
    [FAILED]
    root@server7 [~]# rmmod ipchains
    rmmod: module ipchains is not loaded
    root@server7 [~]

    So does this tell me Iam not running or have installed IPchains?

    Regards
     
  10. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    That's correct.

    As for removing bastille, I can't help you with that since I've never used bastille myself.
    I did hear that uninstalling bastille can be a pain sometimes.
     
    #10 jamesbond, Apr 27, 2003
    Last edited: Apr 27, 2003
  11. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Found out how to de-install Bastille, here below is what I did:~

    /etc/rc.d/init.d/bastille-firewall stop
    cd /etc/rc.d/init.d
    rm -f bastille-firewall
    rm -f psad
    cd /etc/Bastille/
    rm -f *.*
    cd firewall.d/cd pre-audit.d/
    rm -f pre-audit.sh
    cd..
    cd ..
    rmdir pre-audit.d/
    cd ..
    rmdir firewall.d/
    rm -f config
    cd ..
    rmdir Bastille
    /sbin/reboot


    Works 100%

    Regards and now installing APF Firewall

    Thanks,

    Brian



     
  12. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Installed APF and now cant get anything at all, no sites, no access to whm or via SSH.

    What now?

    HELP!

    Brian
     
  13. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    You locked yourself out. There is nothing you can do remotely.
    I guess you should contact your NOC and explain that you locked yourself out, they can disable the firewall for you.
     
  14. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Ok,
    Im back in now after a reboot. Can someone say what ports to have open and what to edit and turn on in the config file please.

    Im now to affraid to re start the firewall just in case it locks me out again.

    Regards.
     
  15. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    Make sure you have DEV mode set to 1 in conf.apf:

    DEVM="1"

    You can't lock yourself out for more than 5 minutes that way. Set it to 0 and restart APF once you know everything is working.

    If you want to allowing pinging uncomment the line near the bottom of icmp.rules.

    I don't have the AntiDOS, IPT Snort or Dshield functions turned on yet. I have read where some people got locked out by Dshield being on, but others say they have had no trouble. I also deleted /etc/cron.hourly/fw since I'm not using Dshield and I'll just restart APF if I bind any new IP's.

    For ports I have the following. They seem to work:

    TCP_CPORTS="21,22,25,26,37,53,80,110,143,443,465,783,873,993,995,2082,2083,2086,2087,2095,2096,3306,6666,7786"

    UDP_CPORTS="37,53,873"

    Add IP's you want to ban to drop_hosts.rules.

    Run /etc/rc.d/init.d/bandin start after loading APF if you don't want to wait for the cron job to pick it up.
     
  16. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Ok,
    I done what you said and used the same ports and re started the firewall and run bandmin.

    How can I test to see if all is working before I change DEVM to 1?

    Regards,

    Brian
     
  17. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    Well, you obviously didn't get locked out. So changing out of DEV mode is probably safe. You can run:

    iptables -L -n | more

    to see all the rules loaded. Make sure you see all your IP's loaded and look for the bandmin rules at the end of the list. If your sites work, try WHM, Cpanel, etc. Everthing should work fine and you are probably OK to change out of DEV mode. Start APF first before you check everything. In DEV mode it shuts itself off in 5 minutes. You can't make sure things are working if it's off.
     
  18. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    When I run iptables -L -n | more
    I see this:

    root@server7 [~]# iptables -L -n | more
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    root@server7 [~]#

    Is this right? and were do I check to see if all my IP's are all ok.

    Regards.
     
  19. rfxn

    rfxn Active Member

    Joined:
    Apr 27, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    /etc/init.d/apf start
    then run
    iptables -L
    see if there is any rules listed (should be)
    also you can do
    ls /etc/apf/vnet/*.rules
    there should be a rules file for every ip on your system.
     
  20. ServerIntelligence

    ServerIntelligence Well-Known Member

    Joined:
    Feb 15, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Again followed your instructions and yes I did see all the tables scrolling up the screen with all my IP's as well.

    Does this now mean all is well and I can infact change DEVM to 1.

    Thanks for all your help M8.

    Regards,

    Brian
     
Loading...

Share This Page