Don't do an an nmap against the localhost. You'll get a completely misleading
result. The firewall only protects against connections from other machines,
not from connections from itself. So, as an example, even though my firewall
blocks port 515 I'm still perfectly able to print fron localhost. Even though
I block port 80 I'm still perfectly able to browse my local pages from
localhost.

If you want to verify your firewall, find another machine and nmap from there.

regards
Anders

Are you *really* firewalling the loopback interface on localhost? Or more
likely an ethernet port, or ppp port (ie external interfaces).

You need to run nmap from another machine on the external network, aimed at
the ip address of your external interface. Running nmap on localhost will
not tell you anything about how your firewall is behaving on the external
interface.

Tony

I'm posting to the list since I can't seem to get through to your email
address.
grc.com is not reliable. It can show closed ports open and it can show open
ports closed. Did the nmap results show the same? Was the nmap run from
another machine, or did you run from localhost but you used the ip of the
external NIC? Don't do that! Use another machine!

ident is filtered by SuSEfirewall in a special way that make the port appear,
but not used. This is because if it was completely blocked, some services
on the net, such as mail, would take an enormous amount of time to run.

The other services you mention are all controlled from inetd. You can check if
they are used by grepping in /etc/inetd.conf

grep telnet /etc/inetd.conf

for instance, on my machine, gives

# If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN
# uplink), add "-n". See 'man telnetd' for more details.
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
# Try "telnet localhost systat" and "telnet localhost netstat" to see that

Lines 1,2 and 4 are obviously comments. The third line is the service line. If
it starts with a # it isn't used. As you can see, my telnet is used. Is your
telnet line uncommented? If it is, you'll know you can't trust the result of
the scan.

If the above doesn't help, use this command

/sbin/iptables -L

to see if the firewall rules are loaded at all.

Post back to the list with your progress, or if you have more questions

regards
Anders

Hi Jacob,

1) It's generally useful to post to the list, rather than direct - so that
others can see *all* messages in a thread, and respond, or also learn from
this.

2) I've just seen your earlier post (START_FW2yes problem) - did you
resolve that, and get the firewall to load on boot? You should see three
phases of firewall initialisation in the boot messages (which should all
report 'passed')

3) If you can describe your network topology, (and what services you *do*
want - I can try to help you with what you need in your firewall2.rc.config
- but it is commented quite well, and should be easy to set up.

Rgds,
Tony

I edited /etc/inetd.conf and commented out the items I did not want accessed
and rebooted the firewall. Now those ports are showing as closed. I think
the problem is resolved. Any suggestions?

Ya I resolved the Start_fw2 thing. The rc.config file had two instances of
the START_FW2=YES line. I only saw the one at the bottom of the page. The
one in the middle was the one that was written wrong, no equals sign.


-----Original Message-----
From: Tony White [mailto:***@databit.net]
Sent: Tuesday, September 10, 2002 2:33 PM
To: suse-linux-***@suse.com
Subject: RE: [SLE] Firewall2 : How to open and close ports
Hi Jacob,

1) It's generally useful to post to the list, rather than direct - so that
others can see *all* messages in a thread, and respond, or also learn from
this.

2) I've just seen your earlier post (START_FW2yes problem) - did you
resolve that, and get the firewall to load on boot? You should see three
phases of firewall initialisation in the boot messages (which should all
report 'passed')

3) If you can describe your network topology, (and what services you *do*
want - I can try to help you with what you need in your firewall2.rc.config
- but it is commented quite well, and should be easy to set up.

Rgds,
Tony
--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-***@suse.com Also check
the archives at http://lists.suse.com Please read the FAQs:
suse-linux-e-***@suse.com

When I try to mail you directly I keep getting timeouts.
Sorry, my mistake. It should have been /usr/sbin/iptables -L

If the firewall is running you'll get an enormous amount of output. If it is
not running, you'll get about 6 lines.

//Anders

Hi

The port 963 is not listed in /etc/services, so it is not a "standard"
service. (914-988 Unassigned).

If You don't have "FW_SERVICES_EXTERNAL_TCP=963" or
FW_SERVICES_TRUSTED_TCP=963" along by listing trusted hosts, that port is not
seen by the outside world.

If You want, You could trace down the program that uses the port.. Start by
doing "ps aux", which will give You a full list of running processes.. it
will be there somewhere.

I believe it is a piece of software that You have installed.

When You have located the suspicious process, search /etc/rc.d if there is a
script that starts the program.

Then do a "/etc/rc.d/<found_script> stop", that should stop the process.. Then
You should have clear picture what the service is...

Jaska.