Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Lum-chan on January 02, 2005, 01:36:28 PM
-
After a fresh install of SME Server 6.0.1-10 as a Private Gatway/Server, I checked my port with ShieldsUp @ http://www.grc.com/
All ports were stealth.
After installing smeserver-fetchmail-1.3.4-02.noarch.rpm I tested again and now 25,80,113 and 443 are opened.
After searching at the console I found this piece of code in /etc/rc.d/init.d/masq
adjust_tcp_in 113 ACCEPT $NEW_InboundTCP
adjust_tcp_in 21 denylog $NEW_InboundTCP
adjust_tcp_in 80 ACCEPT $NEW_InboundTCP
adjust_tcp_in 443 ACCEPT $NEW_InboundTCP
adjust_tcp_in 143 denylog $NEW_InboundTCP
adjust_tcp_in 389 denylog $NEW_InboundTCP
adjust_tcp_in 110 denylog $NEW_InboundTCP
adjust_tcp_in 1723 denylog $NEW_InboundTCP
adjust_tcp_in 25 ACCEPT $NEW_InboundTCP
adjust_tcp_in 22 denylog $NEW_InboundTCP
adjust_tcp_in 23 denylog $NEW_InboundTCP
I changed it to read it as below:
adjust_tcp_in 113 denylog $NEW_InboundTCP
adjust_tcp_in 21 denylog $NEW_InboundTCP
adjust_tcp_in 80 denylog $NEW_InboundTCP
adjust_tcp_in 443 denylog $NEW_InboundTCP
adjust_tcp_in 143 denylog $NEW_InboundTCP
adjust_tcp_in 389 denylog $NEW_InboundTCP
adjust_tcp_in 110 denylog $NEW_InboundTCP
adjust_tcp_in 1723 denylog $NEW_InboundTCP
adjust_tcp_in 25 denylog $NEW_InboundTCP
adjust_tcp_in 22 denylog $NEW_InboundTCP
adjust_tcp_in 23 denylog $NEW_InboundTCP
After saving this with pico I issue this command:
service masq restart
I check the status of my ports at http://www.grc.com/ and it all shows as stealth again (25,80,113,443)
But as soon as I add a new port forwarding rule (p2p for example) from the server-manager, the settings are default again...
I've searched for this on the forum but all I can find is something with templates-custom.
As I'm a complete newbie on this templates-custom I don't know how to get this fixed.
The custom-templates thing is quite difficult to follow.
I guess editing/saving/restarting this won't survive a reboot.
Am I looking on the right direction or am I on the wrong path?
Any helpful info on how to fix this would be great.
btw. I have these rpm packages installed:
e-smith-dhcpmanager-1.5-1.noarch.rpm
e-smith-userpanel-1.6.0-3.noarch.rpm
perl-CGI-FormMagick-0.89-08.noarch.rpm
perl-Unicode-IMAPUtf7-1.02-1.i386.rpm
perl-Unicode-String-2.06-1.i386.rpm
sme-6.0-masq-manager-0.1-2.noarch.rpm
smeserver-fetchmail-1.3.4-02.noarch.rpm
smeserver-lprng-monitor-0.0.6-1.noarch.rpm
smeserver-qmHandle-1.0.2-9.noarch.rpm
smeserver-rkhunter-1.1.8-1.noarch.rpm
sme-dhcp-dns-0.9-rc1.noarch.rpm
sme-server-update-system-1.0-1.noarch.rpm
e-smith-ftp-manager-0.4-3.noarch.rpm
[edit] OK, It survived a reboot [/edit]
-
I tried this in a script called rc.outside:
#!/bin/sh
#blocking port 25
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 25 -j DROP
#blocking port 80
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
#blocking port 113
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 113 -j DROP
#blocking port 443
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 443 -j DROP
However, this doesn't seem to work. Typing each rule by hand from the console doesn't work either.
Am I doing something wrong?
After running these command, I check the status of those ports with http://www.grc.com and choose ShieldsUp
Anyone?
-
Sure you didn't just enable access to IMAP/SMTP from 'anywhere' rather than just the local network? Check the email section of the server-manager. If it says local only, maybe change it, and change it back.
-
@gregswallow:
Hmmm I thought is was worth a try. I tried this and made them public and then local again.
I'm afraid it didn't work. the 4 ports are still open according to grc.com.
As I have to edit /etc/rc.d/init.d/masq and restart the masq service every time I have to change a forwarding rule I was wondering where these settings come from. Are they to be fond in some kind of database or config-file which I can adjust?
The firewall rules I created don't seem to work either. Are they overruled by some configsetting (which I can't find yet)?
Do you (or anyone else) have a clue on how to fix this?
Otherwise I'll be forced to re-edit /etc/rc.d/init.d/masq every time I change something regarding services and such... Not that bad, but a bit user-unfriendly imho
Thanks in advance
[edit]It may look like a bug and might be reported to the creator of the fetchmail rpm. If we can't fix it, maybe I should contact him regarding this issue? Would be nice if he had some kind of a solution on how to fix this. I check his site just a few hours ago but couldn't find anything useful... sniff sniff [edit]