Topic: ports open after installing fetchmail, How to close?

[Lum-chan]

After a fresh install of SME Server 6.0.1-10 as a Private Gatway/Server, I checked my port with ShieldsUp @ http://www.grc.com/
All ports were stealth.

After installing smeserver-fetchmail-1.3.4-02.noarch.rpm I tested again and now 25,80,113 and 443 are opened.

After searching at the console I found this piece of code in /etc/rc.d/init.d/masq

Code: [Select]


    adjust_tcp_in 113 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 21 denylog $NEW_InboundTCP
    adjust_tcp_in 80 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 443 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 143 denylog $NEW_InboundTCP
    adjust_tcp_in 389 denylog $NEW_InboundTCP
    adjust_tcp_in 110 denylog $NEW_InboundTCP
    adjust_tcp_in 1723 denylog $NEW_InboundTCP
    adjust_tcp_in 25 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 22 denylog $NEW_InboundTCP
    adjust_tcp_in 23 denylog $NEW_InboundTCP


I changed it to read it as below:

Code: [Select]


    adjust_tcp_in 113 denylog $NEW_InboundTCP
    adjust_tcp_in 21 denylog $NEW_InboundTCP
    adjust_tcp_in 80 denylog $NEW_InboundTCP
    adjust_tcp_in 443 denylog $NEW_InboundTCP
    adjust_tcp_in 143 denylog $NEW_InboundTCP
    adjust_tcp_in 389 denylog $NEW_InboundTCP
    adjust_tcp_in 110 denylog $NEW_InboundTCP
    adjust_tcp_in 1723 denylog $NEW_InboundTCP
    adjust_tcp_in 25 denylog $NEW_InboundTCP
    adjust_tcp_in 22 denylog $NEW_InboundTCP
    adjust_tcp_in 23 denylog $NEW_InboundTCP


After saving this with pico I issue this command:

service masq restart

I check the status of my ports at http://www.grc.com/ and it all shows as stealth again (25,80,113,443)

But as soon as I add a new port forwarding rule (p2p for example) from the server-manager, the settings are default again...

I've searched for this on the forum but all I can find is something with templates-custom.
As I'm a complete newbie on this templates-custom I don't know how to get this fixed.
The custom-templates thing is quite difficult to follow.
I guess editing/saving/restarting this won't survive a reboot.

Am I looking on the right direction or am I on the wrong path?

Any helpful info on how to fix this would be great.

btw. I have these rpm packages installed:

e-smith-dhcpmanager-1.5-1.noarch.rpm
e-smith-userpanel-1.6.0-3.noarch.rpm
perl-CGI-FormMagick-0.89-08.noarch.rpm
perl-Unicode-IMAPUtf7-1.02-1.i386.rpm
perl-Unicode-String-2.06-1.i386.rpm
sme-6.0-masq-manager-0.1-2.noarch.rpm
smeserver-fetchmail-1.3.4-02.noarch.rpm
smeserver-lprng-monitor-0.0.6-1.noarch.rpm
smeserver-qmHandle-1.0.2-9.noarch.rpm
smeserver-rkhunter-1.1.8-1.noarch.rpm
sme-dhcp-dns-0.9-rc1.noarch.rpm
sme-server-update-system-1.0-1.noarch.rpm
e-smith-ftp-manager-0.4-3.noarch.rpm

[edit] OK, It survived a reboot [/edit]

[Lum-chan]

I tried this in a script called rc.outside:

Code: [Select]


#!/bin/sh
#blocking port 25
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 25 -j DROP
#blocking port 80
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
#blocking port 113
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 113 -j DROP
#blocking port 443
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 443 -j DROP


However, this doesn't seem to work. Typing each rule by hand from the console doesn't work either.

Am I doing something wrong?

After running these command, I check the status of those ports with http://www.grc.com and choose ShieldsUp

Anyone?

[gregswallow]

Sure you didn't just enable access to IMAP/SMTP from 'anywhere' rather than just the local network?  Check the email section of the server-manager.  If it says local only, maybe change it, and change it back.

[Lum-chan]

@gregswallow:
Hmmm I thought is was worth a try. I tried this and made them public and then local again.
I'm afraid it didn't work. the 4 ports are still open according to grc.com.

As I have to edit /etc/rc.d/init.d/masq and restart the masq service every time I have to change a forwarding rule I was wondering where these settings come from. Are they to be fond in some kind of database or config-file which I can adjust?

The firewall rules I created don't seem to work either. Are they overruled by some configsetting (which I can't find yet)?

Do you (or anyone else) have a clue on how to fix this?
Otherwise I'll be forced to re-edit /etc/rc.d/init.d/masq every time I change something regarding services and such... Not that bad, but a bit user-unfriendly imho

Thanks in advance

[edit]It may look like a bug and might be reported to the creator of the fetchmail rpm. If we can't fix it, maybe I should contact him regarding this issue? Would be nice if he had some kind of a solution on how to fix this. I check his site just a few hours ago but couldn't find anything useful... sniff sniff [edit]