Solved

firewall_enable="NO" and yet it starts off with all ports other than 25 and 22 firewalled

Posted on 2004-08-05
9
466 Views
Last Modified: 2013-11-22
I've just got through my first ever 4.9 FreeBSD installation and have happily got apache13 and apache13_modssl up and running using ports (with some kind encouragement from EE). I'm at the point that I should let network traffic into the box on ports 80 and 443. As indicated in the start-up, only ports 25 and 22 are let in with the "moderate" firewall you get when you don't install a firewall.

Where is the firewalling for these two ports set up for the "moderate" firewall? I notice that /etc/defaults/rc.conf has firewall_enable="NO" and there is no override in /etc/rc.conf. Is there another mechanism for setting up firewalls that I ought to beware of?
0
Comment
Question by:rstaveley
9 Comments
 
LVL 1

Assisted Solution

by:hvdhelm
hvdhelm earned 50 total points
Comment Utility
Mmmm.. normaly there is no firewall install in the basic installation.
You can look around in the /usr/local/etc if there is some '3party' firewall installed the config in normaly in this dir. In the /usr/local/etc/rc.d are the programs located that start in the start-up.
Wen apache is running and your go to http://<apache-servername> you should get the man-pages form Apache.

Check if Apache is running:
top
look for USERNAME www and COMMAND httpd
0
 
LVL 17

Author Comment

by:rstaveley
Comment Utility
I can run lynx http ://localhost and lynx https ://localhost on the server and connect to Apache just fine. I cannot do the same from any other PC on the LAN and yet I can connect to it by telneting into port 25 the SMTP port and I can also ssh into it (port 22).

In the initial kernel build there is an option to set up a security profile or to opt for "moderate" security...
--------8<--------
Do you want to select a default security profile for this host (select No for "moderate" security)? ... No
--------8<--------

There was a subsequent message saying that the SMTP and SSH ports would be the only ones accessible with moderate sucurity in place, so it is behaving as advertised. I was just wondering where the "moderate" firewall is set up which is blocking all other ports. I was wondering also if I need to build a kernel with a firewall to make those ports accessible, because the PC is protected by an external firewall anyhow and there is no reason for me to have FreeBSD block any of its ports.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 50 total points
Comment Utility
IPFW is set up by /etc/rc.firewall
/etc/rc.conf just contains some pointers for that script, namely:

Single comment form /etc/rc.firewall
############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open     - will allow anyone in
#   client   - will try to protect just this machine
#   simple   - will try to protect a whole network
#   closed   - totally disables IP services except via lo0 interface
#   UNKNOWN  - disables the loading of firewall rules.
#   filename - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.

A fragment from /etc/defaults/rc.conf (settings you have to override )
firewall_enable="NO"            # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN"         # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
firewall_logging="NO"           # Set to YES to enable events logging
firewall_flags=""               # Flags passed to ipfw when type is a file


There is another firewall in base system - IPFilter, just like one in NetBSD, read "man 5 ipf", maybe you will like the this ruleset syntax a bit more
0
 
LVL 17

Author Comment

by:rstaveley
Comment Utility
I subsequently set up the firewall easily enough per the instructions at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html, but I'm still curious to know where the "moderate" firewalling came from while ipfw support wasn't linked into the kernel.  

> There is another firewall in base system - IPFilter, just like one in NetBSD

Do you reckon it could have been using IPFilter before "proper" firewall support was linked into the kernel?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Expert Comment

by:gheist
Comment Utility
please post kldstat, to make sore no unnecessary modules are loaded.
but allowed localhost seems more like ipfw defaults
0
 
LVL 17

Author Comment

by:rstaveley
Comment Utility
Like I said the firewall is OK now. I was curious about the setup prior to enabling the firewall.

Here's the kldstat with firewalling implemented:
--------8<--------
Id Refs Address    Size     Name
 1    3 0xc0100000 4445f0   kernel
 2    1 0xc0d92000 4000     logo_saver.ko
 3    1 0xc0d98000 15000    linux.ko
--------8<--------

I am up and running OK, but I'll keep the question open for a little while in case anyone knows anything about the apparent firewall setup, when there is no firewalling support specified - i.e. where the configuration is set up when you specify "moderate" security in FreeBSD 4.9-RELEASE:

> Do you want to select a default security profile for this host (select No for "moderate" security)? ... No
0
 
LVL 1

Accepted Solution

by:
kmckinstry earned 50 total points
Comment Utility
You can use sysctl for some security options/settings.

Do a sysctl -a >> sysctl.settings and look through to see what the level of security is at, and any other possible settings.  You could also look into the /usr/src/sysctl.conf file to see if anything is placed there that could give you problems.

Fot the networking portion look through the "net." settings, such as seeing what "net.inet.ip.fw.enable" is set to; just be carefull about making any modifications to the sysctl settings without knowing what you are getting yourself into!

0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
from /etc/rc.firewall
# $FreeBSD: src/etc/rc.firewall,v 1.47 2003/11/02 07:31:44 ru Exp $


        # Allow setup of incoming email
        ${fwcmd} add pass tcp from any to ${oip} 25 setup

        # Allow access to our DNS
        ${fwcmd} add pass tcp from any to ${oip} 53 setup
        ${fwcmd} add pass udp from any to ${oip} 53
        ${fwcmd} add pass udp from ${oip} 53 to any

        # Allow access to our WWW
        ${fwcmd} add pass tcp from any to ${oip} 80 setup
look for firewall_type in /etc/rc.conf and
... just add here more ports and it will start to work.
0
 
LVL 17

Author Comment

by:rstaveley
Comment Utility
I'll close the question now. This has been a bit inconclusive, because I haven't got to the bottom of where the moderate security settings come from and how it sets up the firewall in the absence of ipfw, which reports a socket error when you don't have firewall support linked into the kernel.

It may be the case that the information reported by kmckinstry's suggestion might shed some light, but I guess I don't really need to know. I am up and running with firewall support inked into the kernel and using the open firewall.

Many thanks for the contributions. I'll B grade this, so that it doesn't show up in the PAQ database as something which has a definitive answer, but I hope this doesn't come across as unappreciative.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
llcommand 6 75
LastLogonTimeStamp Attribute 7 47
remove a combination of patterns from a file 15 48
Problem logging tar errors 11 35
Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now