From owner-freebsd-jail@freebsd.org Thu Dec 15 01:33:19 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 94D26C7620C for ; Thu, 15 Dec 2016 01:33:19 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 730DEF28 for ; Thu, 15 Dec 2016 01:33:19 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 726A2C7620B; Thu, 15 Dec 2016 01:33:19 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 720F0C7620A for ; Thu, 15 Dec 2016 01:33:19 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pg0-x244.google.com (mail-pg0-x244.google.com [IPv6:2607:f8b0:400e:c05::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 42D8FF27 for ; Thu, 15 Dec 2016 01:33:19 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pg0-x244.google.com with SMTP id p66so4174602pga.2 for ; Wed, 14 Dec 2016 17:33:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=y1B0p9yqmRTJjyfHMLmY/wUo32Lr7bYjQ0zkoJUjpbE=; b=W64lUNE0B1cK42Ygl8EZDm7NO0/l0MPrqmuEjaeqFZlvHvxx7bBIZ+JXkddSY/jY7B fkwt79U/COK1O4gHsvMemqpiCm87PIaVNLKwwZd0esOnnG1vvHcDhdBbQYp/UqUhY8nK tefh6/GAqOJg933IEWJBI/PB0mN5yUS+QptdAtrNKECVmfed+i5jit1tbKL8iyCQqB6k xU695lW5WcigyzYSUGYrGHj7xpASSKpfClAyNB9s6tPf/cgWgeK22jD+75aOceVnYpPT uAW5DwtCLU2KrwsWuL17ek68q0rZu6KG0xVuO6ghsMpKldd6C59GcYCdCIraaA99GESV 0vIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=y1B0p9yqmRTJjyfHMLmY/wUo32Lr7bYjQ0zkoJUjpbE=; b=d0djl3ZwKRyYnglylprM9jPfmt7jsXbXqjS5B1eyYFOqCu42OuP1HjAOmL+eS7Ffjb uKoTQmmDVsMHt6X+i8RcU68zpnFF+UZLBU//bQM64hAsjuhr7u5p9e94AmH92iM0H/KZ PL25J2VUYvdHMpRhkGq8aBsN7drAM2UPn9HIZE2i/ZQdKWB7GxZfq+iMk2gOJ88F+dJp 7+I00jLOKgPU5UY4NjqY4gudTnkRXIaidEhySuNxr8XvKow/HqDXv+c5LaK1qOxzV/p0 BN+u+tUu6eo/utLX9QGVSnLNDE6gH9SETgF22qVcoOXFxVWjS3/Hl/SHukX/jbTzHU9n pLyQ== X-Gm-Message-State: AKaTC03/+NDavgzdZYVPbGJgFCJif91p3uDUWAbcQuBFcgG0/WuWqj1/i13JQTRCA2VMJA== X-Received: by 10.99.115.5 with SMTP id o5mr57140748pgc.165.1481765598896; Wed, 14 Dec 2016 17:33:18 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.197]) by smtp.googlemail.com with ESMTPSA id s8sm89984130pfj.45.2016.12.14.17.33.17 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 14 Dec 2016 17:33:18 -0800 (PST) Message-ID: <5851F2ED.3070505@gmail.com> Date: Thu, 15 Dec 2016 09:33:33 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: marcel CC: jail@freebsd.org Subject: Re: Closing ports in jail with ipfw References: <20161117233607.3430afd4@marcel-laptop.lan> <5844B557.7050304@gmail.com> <20161214114239.60b7fb48@marcel-laptop.lan> In-Reply-To: <20161214114239.60b7fb48@marcel-laptop.lan> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2016 01:33:19 -0000 marcel wrote: > Le Mon, 05 Dec 2016 08:31:19 +0800, > Ernie Luzar a écrit : > >> marcel wrote: >>> Hi there, >>> >>> I've created a jail and when I do a nmap on his IP, I can see that >>> port 25 and 22 are open but I don't want. So i've tried to create >>> an IPFW rule by adding 'ipwf -q add 00290 deny all from router to >>> jail' to my host ipfw conf file and applied it but ports jail are >>> still open. How can I close or open the ports of my jail ? >>> >>> Thanks ! >> You can not run nmap on the host targeting the jails ip. Doing so >> only shows you open ports on the host. You have to run nmap from a >> computer on a different public ip address targeting the public ip >> address assigned to the jail. If jail is using a non-routeable ip >> address, nmap is useless in looking for jail open ports. > > Hi ! Sorry for silence, I was not able to answer. Yeah I understand, > maybe netstat -an in jail is more useful ? When I do that I see port 25 > and 514 are open but if I haven't looked yet what is this port 514 I > imagine both of these ports are not closable (or it's not advised) > isnt'it ? > On the host port 25 is sendmail and port 514 is syslog. https://www.grc.com/port_514.htm The syslog server opens port 514 and listens for incoming syslog event notifications (carried by UDP protocol packets) generated by remote syslog clients. Any number of client devices can be programmed to send syslog event messages to whatever servers they choose. This defaults to off on clean install of Freebsd. You must have a statement in your /ect/rc.conf file that enables it.