RE: [pmfirewall] open port found on my box - added rule to deny access?

Date view	Thread view	Subject view	Author view

From: Michael Herron (mherron@latte.harvard.edu)
Date: Thu Aug 24 2000 - 09:44:13 PDT

Next message: Rolando Roman: "Re: [pmfirewall] Scanning for open ports...suggestions?"
Previous message: Adjovi@aol.com: "Re: [pmfirewall] Scanning for open ports...suggestions?"
In reply to: tim k: "RE: [pmfirewall] open port found on my box - added rule to deny access?"
Next in thread: Patrick Benson: "Re: [pmfirewall] open port found on my box - added rule to deny access?"
Reply: Patrick Benson: "Re: [pmfirewall] open port found on my box - added rule to deny access?"

OK, I did this in rules.config:

## block off several ports that were found open after
## installation of firewall
##
$IPCHAINS -A input -p tcp -s 0/0 -d $OUTERNET 6667 -j DENY -l
$IPCHAINS -A input -p tcp -s 0/0 -d $OUTERNET 2000 -j DENY -l
$IPCHAINS -A input -p tcp -s 0/0 -d $OUTERNET 2201 -j DENY -l
$IPCHAINS -A input -p tcp -s 0/0 -d $OUTERNET 32771:32774 -j DENY -l

This is produced by ipchains -L

DENY tcp ----l- anywhere [MY IP ADDDRESS]/24 any -> ircd
DENY tcp ----l- anywhere [MY IP ADDDRESS]/24 any -> 2000
DENY tcp ----l- anywhere [MY IP ADDDRESS]/24 any -> 2201
DENY tcp ----l- anywhere [MY IP ADDDRESS]/24 any -> 32771:32774

I think this is working (6667/tcp is ircd according to /etc/services).

My only (famous last words...) question is the /24 thing after my IP
address. What does this mean, and is this a problem?

thanks,

michael

tim k writes:
> well personally if i would want to block a port on my firewall i would do a
>
> ipchains -A input -p tcp -s 0/0 -d 24.3.195.1 80 -j REJECT
>
> where the source is anywhere comeing in and the -d ip is the ip of your
> firewall's internet interface and 80 is the port you want to block...
>
> $REMOTENET for both -s and -d is contadictory i think. anyway do a ipchains -L
> -v and see if the chain rule you made is recieving any packtes. thats the best
> way to tell if it works.
>
> let me know if it works, hell ill scan ya if you want me too :)
>
> zero
>
>
>
> >===== Original Message From "Michael Herron <Michael Herron"
> <mherron@latte.harvard.edu> =====
> >Hello.
> >
> >(Thanks to whoever answered my email on configuring the firewall to
> >allow mail in...)
> >
> >After I set up pmfirewall, a friend ran a port scan on my machine. It
> >found
> >
> > >
> > > Starting nmap V. 2.30BETA17 by fyodor@insecure.org (
> www.insecure.org/nmap/ )
> > > Initiating TCP connect() scan against [SITE DELETED]
> > > Adding TCP port 6667 (state Open).
> > > Adding TCP port 22 (state Open).
> > > Adding TCP port 2000 (state Open).
> > > Adding TCP port 32772 (state Open).
> > > Adding TCP port 32774 (state Open).
> > > Adding TCP port 32771 (state Open).
> > > Adding TCP port 2201 (state Open).
> > > Adding TCP port 32773 (state Open).
> > > The TCP connect scan took 5 seconds to scan 1054 ports.
> >
> >[snip]
> >
> >Port 22/tcp is ssh and I run this. The others, I presume, should be
> >closed off. According to /etc/services, 6667/tcp is some irc thing
> >that I must be running (not sure how, but this is another story). The
> >other ports I cannot identify. Nonetheless, I have added the
> >following lines to rules.local:
> >
> >$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 6667 -i DENY
> >$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 2000 -i DENY
> >$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 2201 -i DENY
> >$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 32771:32774 -i DENY
> >
> >Is this the correct thing to do to shut off a port?
> >
> >thanks,
> >
> >michael
> >****************************************************************************
> >* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
> >* in the message body to majordomo@pointman.org. Please direct other
> >* questions, comments, or problems to pmfirewall-owner@pointman.org.
> >*
> >* Need answers fast? Check the list archive located at:
> >* http://www.pointman.org/PMFirewall/list-archive/
> >*
>
> ------------------------------------------------------------
> Get your FREE web-based e-mail and newsgroup access at:
> http://MailAndNews.com
>
> Create a new mailbox, or access your existing IMAP4 or
> POP3 mailbox from anywhere with just a web browser.
> ------------------------------------------------------------
>
> ****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
> * in the message body to majordomo@pointman.org. Please direct other
> * questions, comments, or problems to pmfirewall-owner@pointman.org.
> *
> * Need answers fast? Check the list archive located at:
> * http://www.pointman.org/PMFirewall/list-archive/
> *

****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*

Next message: Rolando Roman: "Re: [pmfirewall] Scanning for open ports...suggestions?"
Previous message: Adjovi@aol.com: "Re: [pmfirewall] Scanning for open ports...suggestions?"
In reply to: tim k: "RE: [pmfirewall] open port found on my box - added rule to deny access?"
Next in thread: Patrick Benson: "Re: [pmfirewall] open port found on my box - added rule to deny access?"
Reply: Patrick Benson: "Re: [pmfirewall] open port found on my box - added rule to deny access?"

Date view	Thread view	Subject view	Author view

This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:36:11 PDT