[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] RE: NTP Servers Again
- Subject: [cobalt-users] RE: NTP Servers Again
- From: chae <chae@xxxxxxxxxxxx>
- Date: Sat Jul 6 18:21:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hi Yah,
Sorry posts a bit long but as requested by Eddy here's my Portsentry and
IPChains ruleset
Portsentry:
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
IPChains:
# IPchains Firewalling Script File
# Generated by IPchains Firewalling Webmin Module
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output REJECT
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A input -s 10.0.0.0/255.0.0.0 -j DENY
/sbin/ipchains -A input -s 172.16.0.0/255.240.0.0 -j DENY
/sbin/ipchains -A input -s 192.168.0.0/255.255.0.0 -j DENY
/sbin/ipchains -A input -s 255.255.255.255/255.255.255.255 -j DENY
/sbin/ipchains -A input -d 0.0.0.0/255.255.255.255 -j DENY
/sbin/ipchains -A input -s 224.0.0.0/240.0.0.0 -j DENY
/sbin/ipchains -A input -s 240.0.0.0/248.0.0.0 -j DENY
/sbin/ipchains -A input -s 0.0.0.0/255.0.0.0 -j DENY
/sbin/ipchains -A input -s 127.0.0.0/255.0.0.0 -j DENY
/sbin/ipchains -A input -s 169.254.0.0/255.255.0.0 -j DENY
/sbin/ipchains -A input -s 192.0.2.0/255.255.255.0 -j DENY
/sbin/ipchains -A input -s 224.0.0.0/224.0.0.0 -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 2049 -i eth0 -y -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 2000 -i eth0 -y -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 6000:6063 -i eth0 -y -l -p tcp
-j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 1080 -i eth0 -y -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 2049 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 32769:65535 -d 0.0.0.0/0.0.0.0
33434:33523 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 53
-i eth0 -p udp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0 53 -i eth0
-p udp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0 1024:65535
-i eth0 -p udp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0 1024:65535
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 80
-i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 80 -d 0.0.0.0/0.0.0.0 1024:65535
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 81
-i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
443 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 443 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
110 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 25
-i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 25 -d 0.0.0.0/0.0.0.0 1024:65535
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 513:65535 -d 0.0.0.0/0.0.0.0 22
-i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 22 -d 0.0.0.0/0.0.0.0 1022:65535
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 513:65535 -d 0.0.0.0/0.0.0.0 26
-i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 26 -d 0.0.0.0/0.0.0.0 1022:65535
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
113 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 113 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 21
-i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 20
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 21 -d 0.0.0.0/0.0.0.0 1024:65535
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 20 -d 0.0.0.0/0.0.0.0 1024:65535
-i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A input -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/ipchains -A input -i eth0 -p icmp --icmp-type destination-unreachable
-j ACCEPT
/sbin/ipchains -A input -i eth0 -p icmp --icmp-type source-quench -j ACCEPT
/sbin/ipchains -A input -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/ipchains -A input -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 0:19 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 24 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 37 -i eth0 -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 37 -i eth0 -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 26:78 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 81:109 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 112 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 114:136 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 135:139 -i eth0 -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 135:139 -i eth0 -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 137:138 -i eth0 -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 137:138 -i eth0 -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 140:142 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 144:442 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 444:1023 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 0:110 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 112:160 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 163:634 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 636:1023 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 1024:65535 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -i eth0 -l -p icmp --icmp-type redirect -j DENY
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 13:255 -i eth0 -l -p icmp -j DENY
/sbin/ipchains -A output -i lo -j ACCEPT
/sbin/ipchains -A output -d 0.0.0.0/0.0.0.0 2049 -i eth0 -y -p tcp -j REJECT
/sbin/ipchains -A output -d 0.0.0.0/0.0.0.0 2000 -i eth0 -y -p tcp -j REJECT
/sbin/ipchains -A output -d 0.0.0.0/0.0.0.0 6000:6063 -i eth0 -y -p tcp -j
REJECT
/sbin/ipchains -A output -d 0.0.0.0/0.0.0.0 1080 -i eth0 -y -p tcp -j REJECT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 -p udp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0 53 -i
eth0 -p udp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
53 -i eth0 -p udp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
53 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 80 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
80 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 81 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 443 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
443 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 110 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 25 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
25 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 22 -d 0.0.0.0/0.0.0.0 513:65535
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1022:65535 -d 0.0.0.0/0.0.0.0
22 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 26 -d 0.0.0.0/0.0.0.0 513:65535
-i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1022:65535 -d 0.0.0.0/0.0.0.0
26 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 113 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
113 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 21 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 20 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
21 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
20 -i eth0 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0
1024:65535 -i eth0 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth0 -p icmp --icmp-type fragmentation-needed
-j ACCEPT
/sbin/ipchains -A output -i eth0 -p icmp --icmp-type source-quench -j ACCEPT
/sbin/ipchains -A output -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
/sbin/ipchains -A output -i eth0 -p icmp --icmp-type parameter-problem -j
ACCEPT
/sbin/ipchains -A output -i eth0 -j REJECT
# rule to block incoming and outgoing Win2000 NetBios connections
/sbin/ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 445 -j DENY
/sbin/ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 445 -j DENY
# rule to block incoming and outgoing connections for Portmap/rpcbind
/sbin/ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 111 -l -j DENY
/sbin/ipchains -A input -i eth0 -p udp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 111 -l -j DENY
# rule to block incoming and outgoing connections for NFS (default port)
/sbin/ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 2049 -l -j DENY
/sbin/ipchains -A input -i eth0 -p udp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 2049 -l -j DENY
# rule to block incoming and outgoing lockd requests
/sbin/ipchains -A input -i eth0 -p udp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 4045 -l -j DENY
# rule to block incoming and outgoing TFTP server requests
/sbin/ipchains -A input -i eth0 -p udp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 69 -l -j DENY
# rule to block incoming and outgoing NNTP server requests
/sbin/ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 119 -l -j DENY
# rule to block incoming and outgoing LPD printer jobs
/sbin/ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 515 -l -j DENY
# rules to block incoming and outgoing SNMP polling requests
/sbin/ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 161:162 -l -j DENY
/sbin/ipchains -A input -i eth0 -p udp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 161:162 -l -j DENY
# rule to block incoming and outgoing BGP route messages
/sbin/ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 179 -l -j DENY
# rule to block incoming and outgoing SOCKS server connections
/sbin/ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 -d
0.0.0.0/0.0.0.0 1080 -l -j DENY
# Enable TCP SYN Cookie Protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Blocking individual IP's from all protocols and ports
/sbin/ipchains -I input -s xxx.xxx.xxx.xxx -j DENY
Now I notice that port 37 is being denied but 123 isn't being denied. There
is also a rule for NNTP servers above, are these the same as NTP servers if
so then it's blocking port 119 and not 123. Or if port 37 is being blocked
will this stop the Cobalt NTPDate from working or in that case rdate??
Regards
Chae