From owner-freebsd-jail@freebsd.org Thu Dec 15 19:10:04 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B167C82570 for ; Thu, 15 Dec 2016 19:10:04 +0000 (UTC) (envelope-from marcel.plouf@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 4824E399 for ; Thu, 15 Dec 2016 19:10:04 +0000 (UTC) (envelope-from marcel.plouf@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 47803C8256F; Thu, 15 Dec 2016 19:10:04 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47201C8256E for ; Thu, 15 Dec 2016 19:10:04 +0000 (UTC) (envelope-from marcel.plouf@gmail.com) Received: from mail-wj0-x241.google.com (mail-wj0-x241.google.com [IPv6:2a00:1450:400c:c01::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CF581398 for ; Thu, 15 Dec 2016 19:10:03 +0000 (UTC) (envelope-from marcel.plouf@gmail.com) Received: by mail-wj0-x241.google.com with SMTP id j10so11325846wjb.3 for ; Thu, 15 Dec 2016 11:10:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Wp6NrScVEMf8v9q2ut1T5yvfnzqGUd4DWu7zB0BK8WE=; b=jDAZy9OwVxFAP+ZOpvPMOTqw229tRoNGIrW8Ke+IE5+HXh/IR+Cy4GjsQGbWAsNs43 v/oYUncHK9RTM49OP7viN3CJlE1g5xEgERa543DHL6Yt8ewPuxZNKjlNMKyen3DGcFuk Q1AXRln6AEcTSsqXy4+7XIa24+q6ni7o5HJS+2ytBxbGpN4FlUBxXjUOi1j04W6j9nFA 96mK1hSZ54v7mI7FWmbD00KAHLVQ5Hw4Ibu0e7d4G2t++GoZXGlAdcMwZ4dYJxbfhnQA nEp7oolWAb622jyeEFZjcaNDA/s34/OJVu8c6kR8kYZTQiRk4FcFRyD7AMIiewMsWwqX IO7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Wp6NrScVEMf8v9q2ut1T5yvfnzqGUd4DWu7zB0BK8WE=; b=b+txkh2Yfa4TFw4hzOPO+kFoD79JzLxbMHv/9gBLUnqflsIO1BTYGaDM7fss4XuHST wC66Y1kc6q7rxcpVtQAffVS7loHsX5Hgt0W9B77lV3lUruWZmm8xWnpO2IbpFw82rgBM FUgvY/NGZ9Ifs4fwWD/Of6GvD5bcn0a2G5c/YX/ltwpHv4L080rLAlErSN+UFJN8kejn wSjcAC+tmX15GoiGXlFDcgRG4GxcNmZpvppGz1Rf4fImm/31MQk2i9E/Os+d1v2iVlsT zGvOr/hwlrwqgv4PqslE6LyUWe9XiGGiE7V/+tjWZw6JbokKJJEoDUJYs2i3RF9OdOrP aHbg== X-Gm-Message-State: AKaTC03atLBYkIWlJg7qtupt9QX9/2UJ7BfQqVh+dNhPCT6125P+tV5thKzakNbGBucitA== X-Received: by 10.194.8.226 with SMTP id u2mr2899610wja.91.1481829000777; Thu, 15 Dec 2016 11:10:00 -0800 (PST) Received: from marcel-laptop.lan (85-171-136-71.rev.numericable.fr. [85.171.136.71]) by smtp.gmail.com with ESMTPSA id g184sm13734799wme.23.2016.12.15.11.10.00 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 15 Dec 2016 11:10:00 -0800 (PST) Date: Thu, 15 Dec 2016 20:09:05 +0100 From: marcel To: Ernie Luzar Cc: jail@freebsd.org Subject: Re: Closing ports in jail with ipfw Message-ID: <20161215200905.0f921a0a@marcel-laptop.lan> In-Reply-To: <5851F2ED.3070505@gmail.com> References: <20161117233607.3430afd4@marcel-laptop.lan> <5844B557.7050304@gmail.com> <20161214114239.60b7fb48@marcel-laptop.lan> <5851F2ED.3070505@gmail.com> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.31; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2016 19:10:04 -0000 Le Thu, 15 Dec 2016 09:33:33 +0800, Ernie Luzar a =C3=A9crit : > marcel wrote: > > Le Mon, 05 Dec 2016 08:31:19 +0800, > > Ernie Luzar a =C3=A9crit : > > =20 > >> marcel wrote: =20 > >>> Hi there, > >>> > >>> I've created a jail and when I do a nmap on his IP, I can see that > >>> port 25 and 22 are open but I don't want. So i've tried to create > >>> an IPFW rule by adding 'ipwf -q add 00290 deny all from router to > >>> jail' to my host ipfw conf file and applied it but ports jail are > >>> still open. How can I close or open the ports of my jail ? > >>> > >>> Thanks ! =20 > >> You can not run nmap on the host targeting the jails ip. Doing so > >> only shows you open ports on the host. You have to run nmap from a > >> computer on a different public ip address targeting the public ip > >> address assigned to the jail. If jail is using a non-routeable ip > >> address, nmap is useless in looking for jail open ports. =20 > >=20 > > Hi ! Sorry for silence, I was not able to answer. Yeah I understand, > > maybe netstat -an in jail is more useful ? When I do that I see > > port 25 and 514 are open but if I haven't looked yet what is this > > port 514 I imagine both of these ports are not closable (or it's > > not advised) isnt'it ?=20 > > =20 >=20 > On the host port 25 is sendmail and port 514 is syslog. >=20 > https://www.grc.com/port_514.htm >=20 > The syslog server opens port 514 and listens for incoming syslog > event notifications (carried by UDP protocol packets) generated by > remote syslog clients. Any number of client devices can be programmed > to send syslog event messages to whatever servers they choose. >=20 > This defaults to off on clean install of Freebsd. > You must have a statement in your /ect/rc.conf file that enables it. >=20 >=20 Okay thanks for clarifications for port 514. When you say "This defaults to off on clean install of Freebsd" you meant that this is the default on the default install but we can put it off on a clean modified freebsd install ?