Hi, I'd like to prevent users from using POP3/IMAP other than via SSL. To do that I am attempting to use the firewall to close non-SSL POP3/IMAP ports. I am having trouble getting the firewall function to work properly. System: ISPConfig 2.2.40 running on Ubuntu 10.04.4 LTS configured as described in the Perfect Server Manual. I activated all services under Management > Server > Services, including Firewall which was initially OFF. On the Firewall tab I set the following configuration: Code: Name Port Type Active FTP 21 tcp no SSH 22 tcp yes SMTP 25 tcp yes DNS 53 tcp no DNS 53 udp no WWW 80 tcp yes ISPConfig 81 tcp yes POP3 110 tcp no IMAP2 143 tcp no SSL (www) 443 tcp yes Webmin 10000 tcp no IMAPS 993 tcp no However, when performing a port scan I am seeing 53, 110, 143 open. I have not seen any error messages. I am avoiding configuring a firewall separately because I do not want to interfere with ISPConfig. Does anyone have any hints? Is there another way to ensure that users can only use SSL to connect to email services? Thanks!
Hi Falko, # iptables -L Code: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Furthermore, this seems not right: # /etc/init.d/bastille-firewall restart Code: /sbin/bastille-ipchains: line 232: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 234: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 236: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 238: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 240: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 242: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 251: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 252: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 258: /sbin/ipchains: No such file or directory Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces.../sbin/bastille-ipchains: line 283: /sbin/ipchains: No such file or directory done. /sbin/bastille-ipchains: line 297: /sbin/ipchains: No such file or directory Setting up chains for public/internal interface traffic.../sbin/bastille-ipchains: line 340: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 342: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 345: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 347: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 351: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 353: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 356: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 358: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 380: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 381: /sbin/ipchains: No such file or directory done. Setting up general rules.../sbin/bastille-ipchains: line 437: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 437: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 445: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 446: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 463: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 468: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 473: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 491: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 504: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 491: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 504: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 508: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 537: /sbin/ipchains: No such file or directory done. Setting up outbound rules.../sbin/bastille-ipchains: line 570: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 570: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 584: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 590: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 591: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 596: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 596: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 600: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory /sbin/bastille-ipchains: line 604: /sbin/ipchains: No such file or directory done. I am not sure how a correct setup needs to look like, but here are a few queries that I expect you would want to run: # find / | grep ipchains Code: /usr/share/Bastille/bastille-ipchains /sbin/bastille-ipchains Looking at the /sbin/bastille-ipchains file, it seems the errors are caused by an incorrect definition of the symbol '${IPCHAINS}'. The error lines seem to be using that symbol. E.g., line 232: Code: ${IPCHAINS} -P forward DENY It appears to be defined in line 42: Code: IPCHAINS=/sbin/ipchains Any clues? Thanks.
This worked, thank you very much. A post scan now shows only the expected open ports. However, I see this error message when doing "# /etc/init.d/bastille-firewall restart". Is this a reason for concern? Code: FATAL: Module ip_tables not found. FATAL: Module ip_conntrack not found. FATAL: Module ip_conntrack_ftp not found. FATAL: Module ipt_LOG not found. Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done. Now that I resolved this security concern, would you please have any pointers about the chroot setup question or should I better post that question on a different forum? Thanks heaps!
# iptables -L Code: Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- base-address.mcast.net/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (5 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:www PAROLE tcp -- anywhere anywhere tcp dpt:81 PAROLE tcp -- anywhere anywhere tcp dpt:https DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere Thanks!
Ok. Great! I'll take a look at those messages at my own pace then. Thanks very much again for you help and for running the project! P.S. If you ever have time to provide a pointer on my chroot'ing question that has not been answered, it will be greatly appreciated!
