DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th February 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default test port connection

Hello, i need to allow access to remote server on port 5224, i am running PF firewall and have added this port to tcp_pass = entry.

Is there a way (tool) to test if this connection is working?

plus is it possible to only allow this port for this one remote server?

cheers
Reply With Quote
  #2   (View Single Post)  
Old 8th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by carpman View Post
... tcp_pass = entry....
This without context is meangless to PF users. If you want people to examine your PF configuration, post it.
Quote:
Is there a way (tool) to test if this connection is working?
If you, yourself, do not have a remote system with a shell account to test from, you can use remote scanners such as "ShieldsUP!" which is operated by Gibson Research (grc.com). This will tell you if the TCP or UDP port you are interested reflects what Gibson Research defines as "open" "closed" or "stealth", depending on positive, negative, or no response from your server.
Quote:
plus is it possible to only allow this port for this one remote server?
Yes, see the syntax of the rdr PF rule. e.g.:
Code:
rdr log on $external_nic proto  tcp from $my_friends to any port 5524 -> $internal_server 5524
Reply With Quote
  #3   (View Single Post)  
Old 8th February 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Another +1 for the grc.com test, that can help you confirm your rules are setup properly.. as can a friend with some free time.

As jggimi said, please post your pf configuration file in the future.
Reply With Quote
  #4   (View Single Post)  
Old 8th February 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

Hello and the and thanks for reply,, been a long week and just realised i could use nmap from my workstation to test port, which i did and it shows it as closed:

Quote:
Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-08 20:19 GMT
Interesting ports on 85-234-15*-**.static.poundhost.com (85.234.15*.**):
PORT STATE SERVICE
5224/tcp closed unknown
I have also included my pf.conf

Quote:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if = "fxp0"

logopt = "log"
#-----------------------------------------------------------------------
# Tables
#-----------------------------------------------------------------------
#our ips
table <local> { 202.83.54.128, 69.59.173.180, 59.93.35.19/24 }

#block spammers listed in this file
table <spammers> persist file "/etc/spammers"

# publically accesible services (transport layer neutral)
tcp_pass = "{ 20,21,22,25,26,37,53,80,110,143,144,443,465,587,87 3,993,995,1922,3306,5001,5224,8009,8080,8443,10125 ,10000 }"
udp_pass = "{ 37,53,110,123,873,10000 }"
# externally permitted inbound icmp types
icmp_types = "echoreq"
# internal network
# block these networks
table <private> { 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3, 255.255.255.255 }
# Anti brute force
table <brute> persist
pass out
pass in keep state (max-src-conn 50, max-src-conn-rate 50/5, overload <brute> flush global)
#-----------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy return
set loginterface $ext_if
set skip on lo0
# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
#scrub out all random-id
scrub in all
#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
block all
# restrictive default rules
block in quick on $ext_if from <private> to any
block out quick on $ext_if from any to <private>
pass in quick from <local> to any keep state
block in on fxp0 from <spammers> to any
block return-rst in $logopt on $ext_if proto tcp all
block return-icmp in $logopt on $ext_if proto udp all
block in $logopt on $ext_if proto icmp all
block out $logopt on $ext_if all
# trust localhost
pass in quick on lo0 all
pass out quick on lo0 all
# anti spoofing
#block drop in $logopt quick on $ext_if from to any
#block drop out $logopt quick on $ext_if from any to
antispoof for { $ext_if }
# anti fake return-scans
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp in on $ext_if proto udp all
# toy with script kiddies scanning us
block in $logopt quick proto tcp flags FUP/WEUAPRSF
block in $logopt quick proto tcp flags WEUAPRSF/WEUAPRSF
block in $logopt quick proto tcp flags SRAFU/WEUAPRSF
block in $logopt quick proto tcp flags /WEUAPRSF
block in $logopt quick proto tcp flags SR/SR
block in $logopt quick proto tcp flags SF/SF
# allow permitted icmp
pass in inet proto icmp all icmp-type $icmp_types keep state
# allow permitted services
pass in on $ext_if inet proto tcp from any to any port $tcp_pass flags S/SA keep state
pass in on $ext_if inet proto udp from any to any port $udp_pass keep state
pass out on $ext_if inet proto tcp from any to any port $tcp_pass flags S/SA keep state
pass out on $ext_if inet proto udp from any to any port $udp_pass keep state
pass out on $ext_if inet proto tcp from any to port 21 keep state
pass out on $ext_if inet proto tcp from any to port > 1023 keep state
# permit full outbound access
# warning: potentially insecure. you may wish to lock down outbound access.
cheers
Reply With Quote
  #5   (View Single Post)  
Old 8th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

  1. These two rules are in the wrong place, they appear before your Options section. If they were supposed to apply, they are negated by your very first rule in your filtering section, which is "block all":
    Code:
    pass out
    pass in keep state (max-src-conn 50, max-src-conn-rate 50/5, overload <brute> flush global)
    Remember how filter rules function: Without "quick", the last matching rule wins. And,avoid using "quick", if you can, as any time a quick rule matches, no futher packet matching is done.
  2. This appears to be an end-system firewall as only an external NIC is mentioned in your rules.
  3. If no previous "quick" rule has inadvertently matched, then this is the last rule that will match an inbound TCP session for a local daemon listening on your single NIC to TCP port 5524:
    Code:
    pass in on $ext_if inet proto tcp  from any  to any port $tcp_pass flags S/SA keep state
    The subsequent pass out rules will not apply, as PF will use the existing state table for the entire time the TCP session remains established.
  4. The most effective way to analyze your rule set is to watch it perform, using pflogd(8) and the pflog(4) facility with a network monitoring tool such as tcpdump(1). You'll need to add the log option to the rules you want to track, of course. This particular rule does not have the $logopt macro in it.
Reply With Quote
  #6   (View Single Post)  
Old 9th February 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

Thanks for reply, i did not set up PF though did add the brute force without really reading up on PF.

I have removed that for now and just wish to make sure i have port 5224 open as is need for hosting CP licence.

I have reloaded PF and nmap now shows

Code:
Interesting ports on 85-234-15*-**.static.poundhost.com (85.234.15*.**):
PORT     STATE    SERVICE
5224/tcp filtered unknown
Which i am assuming means it is now open?

I know i am going to have read up on PF but need to get the CP updated first.

Many thanks

Last edited by carpman; 9th February 2009 at 11:20 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Script to test whether an IP address has been listed in a DNSBL J65nko Guides 9 12th March 2013 04:40 PM
Connection refused by tcp_wrappers sniper007 FreeBSD General 1 30th August 2009 02:31 PM
how extract specific test from Postfix logs with PHP or Perl marco64 Programming 3 21st June 2008 12:46 PM
dual ISP connection problems tpprodigy OpenBSD General 1 25th May 2008 11:34 PM
KDE app for easy Wireless connection coppermine FreeBSD Ports and Packages 4 17th May 2008 07:33 PM


All times are GMT. The time now is 07:11 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick