Date: Fri, 16 Dec 2016 09:56:47 +0800 From: Ernie Luzar <luzar722@gmail.com> To: marcel <marcel.plouf@gmail.com> Cc: jail@freebsd.org Subject: Re: Closing ports in jail with ipfw Message-ID: <585349DF.40908@gmail.com> In-Reply-To: <20161215200905.0f921a0a@marcel-laptop.lan> References: <20161117233607.3430afd4@marcel-laptop.lan> <5844B557.7050304@gmail.com> <20161214114239.60b7fb48@marcel-laptop.lan> <5851F2ED.3070505@gmail.com> <20161215200905.0f921a0a@marcel-laptop.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
marcel wrote: > Le Thu, 15 Dec 2016 09:33:33 +0800, > Ernie Luzar <luzar722@gmail.com> a écrit : > >> marcel wrote: >>> Le Mon, 05 Dec 2016 08:31:19 +0800, >>> Ernie Luzar <luzar722@gmail.com> a écrit : >>> >>>> marcel wrote: >>>>> Hi there, >>>>> >>>>> I've created a jail and when I do a nmap on his IP, I can see that >>>>> port 25 and 22 are open but I don't want. So i've tried to create >>>>> an IPFW rule by adding 'ipwf -q add 00290 deny all from router to >>>>> jail' to my host ipfw conf file and applied it but ports jail are >>>>> still open. How can I close or open the ports of my jail ? >>>>> >>>>> Thanks ! >>>> You can not run nmap on the host targeting the jails ip. Doing so >>>> only shows you open ports on the host. You have to run nmap from a >>>> computer on a different public ip address targeting the public ip >>>> address assigned to the jail. If jail is using a non-routeable ip >>>> address, nmap is useless in looking for jail open ports. >>> Hi ! Sorry for silence, I was not able to answer. Yeah I understand, >>> maybe netstat -an in jail is more useful ? When I do that I see >>> port 25 and 514 are open but if I haven't looked yet what is this >>> port 514 I imagine both of these ports are not closable (or it's >>> not advised) isnt'it ? >>> >> On the host port 25 is sendmail and port 514 is syslog. >> >> https://www.grc.com/port_514.htm >> >> The syslog server opens port 514 and listens for incoming syslog >> event notifications (carried by UDP protocol packets) generated by >> remote syslog clients. Any number of client devices can be programmed >> to send syslog event messages to whatever servers they choose. >> >> This defaults to off on clean install of Freebsd. >> You must have a statement in your /ect/rc.conf file that enables it. >> >> > > Okay thanks for clarifications for port 514. > When you say "This defaults to off on clean install of Freebsd" you > meant that this is the default on the default install but we can put it > off on a clean modified freebsd install ? > yes In rc.conf syslogd_flags="-ss"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?585349DF.40908>