Hi, I have ISPConfig 2.2.21 installed and most things run just fine. When I activated the firewall, a strange thing happened. Allthough I have the ports 1812 and 1813, 4960, and 5553 allowed in the firewall configuration, they get blocked. For a list of configured port see http://login03.chillifire.net/ispconfig-ports.jpg and for a list of actually open ports as detected by a port scanner see http://login03.chillifire.net/scanne-ports.jpg. The out put of iptables -L is in the code section below. So the question is this, why are some of the ports blocked that are opened as per the ISPConfig configuration? Any ideas/suggetsion? chillifire Appendix output of 'iptables -L' Code: Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere 127.0.0.0/8 ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere DROP 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED DROP 0 -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT 0 -- anywhere anywhere Chain PAROLE (16 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:www PAROLE tcp -- anywhere anywhere tcp dpt:81 PAROLE tcp -- anywhere anywhere tcp dpt:pop3 PAROLE tcp -- anywhere anywhere tcp dpt:imap2 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:radius PAROLE tcp -- anywhere anywhere tcp dpt:radius-acct PAROLE tcp -- anywhere anywhere tcp dpt:mysql PAROLE tcp -- anywhere anywhere tcp dpt:2812 PAROLE tcp -- anywhere anywhere tcp dpt:munin PAROLE tcp -- anywhere anywhere tcp dpt:4960 PAROLE tcp -- anywhere anywhere tcp dpt:5553 ACCEPT udp -- anywhere anywhere udp dpt:domain DROP icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere
According to the iptables output, the ports are opened correctyl by ISPConfig in the firewall. Maybe some of your services need UDP too?
and the port scan? I dont believe UDP is involved in all four of those services, but I will doublecheck. Yes, the ports show as being connected correctly, but still, why don't the port show as open to the portscanner?
A portscanner is not able to detect if a port is open in the firewall. As far as I know, only if a service is listening on this port and the firewall is open, then the portscanner will show the port as open. You should check with: netstat -tap if all services are really running and listening on the ports you opened.
UDP fixed radius connection problem - but ... Hi till, opening 1812 and 1813 for udp fixed the radius problem - thanks for that. However, the question remains, why are the other open ports not detected by the pot scanner? I checked out netstat -tap as you advised and also nestat -uap and there are certainly services listening on those ports. I remain perplexed ... chillifire
Normally a port scanner doesn't scan all ports from 1 to 65536, but only a small range where it assumes the most important services.
port range Valid question to ask as in 99.9% of all cases the stupidity of a user outreaches the one of a computer ;-) However, trust me that I have enetered a port range from 1 through to 5600 which should catch all the ports I have opened. I can watch the port scanner go through the range and explicitly state in the end that some 5990 port are closed, which is plain wrong. When I have the need I will try another port scanner, to see what results are rendered.
