|
|
Sponsored Content
Operating Systems
Linux
using firewall to block port
Post 302288418 by pludi on Tuesday 17th of February 2009 07:52:28 AM
02-17-2009
|
|
10 More Discussions You Might Find Interesting
1. Solaris
Hi,
So that potential responders will have an idea of what they're dealing with let me say that while I am a UNIX newbie I have been in IT for over 10 years.
We have several SUN boxes running ver 5 of the OS that have been sitting dormant for some time as they were part of a now defunct... (3 Replies)
Discussion started by: pjewett
3 Replies
2. IP Networking
My server is running on a port 16386, in the case when this port is blocked by some other application ( anti virus etc. ) or firewall then how do i know it's block? Is bind will return any specific error in this case.
I have to know is it blocked or not? (2 Replies)
Discussion started by: Saurabh78
2 Replies
3. Linux
Well, since I wrote the below, I've learned a little more about Samba, and got them to at least acknowledge each other. Still can't use Gaurd dog. Still cant print from one to the other.
I'm learning I'm learning
I recently installed mepis 7 on both my laptop and laptop. (I came... (0 Replies)
Discussion started by: Sonshyne5
0 Replies
4. IP Networking
Hello,
I want to add a port in the firewall exception list so that my application can be accessed over network even if firewall is disabled. I am using iptables command to add exception.
The problem is, after setting the rule if I change the firewall setting i.e. on/off then it is overwriting... (1 Reply)
Discussion started by: senrooy
1 Replies
5. UNIX for Advanced & Expert Users
Hi All,
I successfully configured a DEBIAN Lenny bridged firewall
using ebtables.
The bridged interface is br0.
The ethernet interface are eth0 & eth1 respectively.
All the traffic are transparently passing my firewall but i need to find & block temporarily the bandwidth abusers.
Can... (1 Reply)
Discussion started by: coolatt
1 Replies
6. UNIX for Dummies Questions & Answers
hi guys
I doing some collocation for a customer, customer requested to use other port for ssh not the default one. OK no problem
and customer will be using rsync to sync backups among other things
I know we have to open port let's say port 5999 for ssh since we are using that one now but I... (1 Reply)
Discussion started by: karlochacon
1 Replies
7. UNIX for Dummies Questions & Answers
(1 Reply)
Discussion started by: senrabdet
1 Replies
8. Shell Programming and Scripting
Hi,
I need to know what kind of firewall settings does the linux box have? Is port 25 blocked in any way?
Linux techx 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
I'm coming from this thread. (1 Reply)
Discussion started by: mohtashims
1 Replies
9. Shell Programming and Scripting
I have my firewall process running
# ps -ef | grep firewall
root 21169 1 0 08:50 ? 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
I wish to know what ip : port number it is using. Can you please tell me how can i find out ?
I tried the below command... (4 Replies)
Discussion started by: mohtashims
4 Replies
10. Shell Programming and Scripting
Below is what i did to open the firewall port on
# sudo firewall-cmd --zone=public --add-port=27012/tcp --permanent
Warning: ALREADY_ENABLED: 27012:tcp
success
# sudo firewall-cmd --reload
success
# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
... (10 Replies)
Discussion started by: mohtashims
10 Replies
LEARN ABOUT DEBIAN
shorewall-secmarks
SHOREWALL-SECMARKS(5) [FIXME: manual] SHOREWALL-SECMARKS(5) NAME
secmarks - Shorewall file SYNOPSIS
/etc/shorewall/secmarks DESCRIPTION
Important Unlike rules in the shorewall-rules[1](5) file, evaluation of rules in this file will continue after a match. So the final secmark for each packet will be the one assigned by the LAST rule that matches. The secmarks file is used to associate an SELinux context with packets. It was added in Shorewall version 4.4.13. The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax). SECMARK - {SAVE|RESTORE|context|COMMENT comment} SAVE If an SELinux context is associated with the packet, the context is saved in the connection. Normally, the remaining columns should be left blank. RESTORE If an SELinux context is not currently associated with the packet, then the saved context (if any) is associated with the packet. Normally, the remaining columns should be left blank. context An SELinux context. COMMENT The remainder of the line is treated as a comment which is attached to subsequent rules until another COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. CHAIN:STATE (chain) - {P|I|F|O|T}[:{N|I|NI|E|ER}] This column determines the CHAIN where the SElinux context is to be applied: P - PREROUTING I - INPUT F - FORWARD O - OUTPUT T - POSTROUTING It may be optionally followed by a colon and an indication of the Netfilter connection state(s) at which the context is to be applied: :N - NEW connection :I - INVALID connection :NI - NEW or INVALID connection :E - ESTABLISHED connection :ER - ESTABLISHED or RELATED connection SOURCE - {-interface|[interface:]address-or-range[,address-or-range]...}[exclusion] May be: 1. An interface name - matches traffic entering the firewall on the specified interface. May not be used in classify rules or in rules using the T in the CHAIN column. 2. A comma-separated list of host or network IP addresses or MAC addresses. 3. An interface name followed by a colon (":") followed by a comma-separated list of host or network IP addresses or MAC addresses. MAC addresses must be prefixed with "~" and use "-" as a separator. Example: ~00-A0-C9-15-39-78 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion[2](5)). Addresses may be specified using an ipset name preceded by '+'. DEST - {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion] May be: 1. An interface name. May not be used in the PREROUTING or INPUT chains. The interface name may be optionally followed by a colon (":") and an IP address list. 2. A comma-separated list of host or network IP addresses. The list may include ip address ranges if your kernel and iptables include iprange support. You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion[2](5)). Addresses may be specified using an ipset name preceded by '+'. PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all} Protocol - ipp2p requires ipp2p match support in your kernel and iptables. PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...] Optional destination Ports. A comma-separated list of Port names (from services(5)), port numbers or port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric type, a numberic type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading "--" (example bit for bit-torrent). If no PORT is given, ipp2p is assumed. This column is ignored if PROTOCOL = all but must be entered if any of the following field is supplied. In that case, it is suggested that this field contain "-" SOURCE PORT(S) (sport) - [-|port-name-number-or-range[,port-name-number-or-range]...] Optional source port(s). If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges. USER - [!][user-name-or-number][:group-name-or-number] This optional column may only be non-empty if the SOURCE is the firewall itself. When this column is non-empty, the rule applies only if the program generating the output is running under the effective user and/or group specified (or is NOT running under that id if "!" is given). Examples: joe program must be run by joe :kids program must be run by a member of the 'kids' group !:kids program must not be run by a member of the 'kids' group MARK - [!]value[/mask][:C] Defines a test on the existing packet or connection mark. The rule will match only if the test returns true. If you don't want to define a test but need to specify anything in the following columns, place a "-" in this field. ! Inverts the test (not equal) value Value of the packet or connection mark. mask A mask to be applied to the mark before testing. :C Designates a connection mark. If omitted, the packet mark's value is tested. EXAMPLE
Mark the first incoming packet of a connection on the loopback interface and destined for address 127.0.0.1 and tcp port 3306 with context system_u:object_r:mysqld_t:s0 and save that context in the conntrack table. On subsequent input packets in the connection, set the context from the conntrack table. /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS - lo - ignore /etc/shorewall/secmarks: #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK # STATE PORT(S) PORT(S) GROUP system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306 SAVE I:N lo 127.0.0.1 tcp 3306 RESTORE I:ER FILES
/etc/shorewall/secmarks SEE ALSO
http://james-morris.livejournal.com/11010.html http://shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) NOTES
1. shorewall-rules http://www.shorewall.net/manpages/shorewall-rules.html 2. shorewall-exclusion http://www.shorewall.net/manpages/shorewall-exclusion.html [FIXME: source] 06/28/2012 SHOREWALL-SECMARKS(5)