1 (edited by Suno Ano 2009-08-26 18:13:22)

Topic: which ports to open for Firewall/Netfilter/IPtables

I don't use the IRM script to manage which ports are to be opened on the firewall (Linux i.e. Netfilter/Iptables in our case). We use OpenVZ so we do firewalling on the HN (Hardware Node) rather than inside a VE (Virtual Environment) where some of our IRM instances are installed.


Three Questions:

0)
It is correct that all ports are TCP and no IRM service/daemon makes use of the UDP protocol?

1)
What ports need to be open can be seen from iRedMail/samples/iptables.rules. Right now I allow incoming traffic on following TCP ports: 80,443,25,587,465,110,995,143,993,389,636,21,20. I use the LDAP backend; do I need all those ports to be open? especially 587? Did I miss some port?

2)
We manage the port for sshd automatically; it's listening on a high port i.e. >1023; maybe the IRM install routing could ask users for the sshd listening port instead of assuming it's port 22? Personally I don't care because we con't use IRM iptables scripts at all but I think the user should have a choice to mabye pick a non-standard listening port http://sunoano.name/ws/public_xhtml/ssh … ening_port

2

Re: which ports to open for Firewall/Netfilter/IPtables

Suno Ano wrote:

It is correct that all ports are TCP and no IRM service/daemon makes use of the UDP protocol?

Yes, no daemon uses UDP protocol.

Suno Ano wrote:

What ports need to be open can be seen from iRedMail/samples/iptables.rules. Right now I allow incoming traffic on following TCP ports: 80,443,25,587,465,110,995,143,993,389,636,21,20. I use the LDAP backend; do I need all those ports to be open? especially 587? Did I miss some port?

You should know which services you need to serve, what ports they need, and then customize your rule.

Suno Ano wrote:

We manage the port for sshd automatically; it's listening on a high port i.e. >1023; maybe the IRM install routing could ask users for the sshd listening port instead of assuming it's port 22? Personally I don't care because we con't use IRM iptables scripts at all but I think the user should have a choice to mabye pick a non-standard listening port

There's a note displayed while prompt to use iptables rule shipped within iredmail, it says OpenSSH port is 22.

User can replace it without restart iptables service, and then edit the port number after installation complete.

Maybe i should extract ssh port number from sshd_config and then modify the rule. Good idea?

3

Re: which ports to open for Firewall/Netfilter/IPtables

You should know which services you need to serve, what ports they need, and then customize your rule.

I do, yes. However, I am uncertain what's needed in particular like for example port 587. As I said, I use the LDAP backend with irm and thus I can only manually check (ps aux | grep <daemon_name> or netstat -tulpe) to be sure. I think a quick summary on the wiki would be best i.e. if we could just list the ports needed that would be great ... I think this question will come up a lot in the future so ...

Maybe i should extract ssh port number from sshd_config and then modify the rule. Good idea?

Yes, please do so :-)

4

Re: which ports to open for Firewall/Netfilter/IPtables

Hi, Suno.

I posted a new topic here:
- iRedMail opens which network service ports
  http://www.iredmail.org/forum/topic209- … ports.html

5

Re: which ports to open for Firewall/Netfilter/IPtables

Suno Ano wrote:

Maybe i should extract ssh port number from sshd_config and then modify the rule. Good idea?

Yes, please do so :-)

Done.
http://code.google.com/p/iredmail/sourc … c345d4b4c0

6

Re: which ports to open for Firewall/Netfilter/IPtables

Excellent. Thanks wink