Ubuntu Security :: Restrict Open Ports In Firestarter When Using Torrents?
Aug 19, 2010
I am trying to configure Bittorando and iptables using Firestarter. I have got it working but am concerned about security holes.
Let me explain.
AIUI, the Bittornado program contacts the "tracker" on various ports which (from the previously blocked connections in Firestarter) ranged from 4664 to 65532. Therefore, currently I have set this range to be open to allow downloads of the torrent.
However, this seems, IMHO, to devalue to point of having a restrictive exit policy for Firestarter since now virtually all ports are open. I can see nothing on the Bittornado client to restrict the outgoing ports although the "listening" (incoming) ports can be restricted.
I would prefer to have my system locked-down so that the minimal number of ports are open to initiate external connections so is there any way to achieve this with Bittornado?
A portscan reveals that port 39878 is 'open', service: 'unknown. I deny service for this port in Firestarter FW 'policy' Firestarter does not show any active connection. I am not running any apps, so how can I close this port?
Perhaps it is my misinterpretation of AppArmor, how can it be configured to restrict TCP or UDP traffic to/from specific ports?
The profile "abstractions/nameservice", under the section "# TCP/UDP network access", doesn't seem to lock the application to port 53. What am I missing? Restriction to specific ports is something that systrace can do so I'd expect nothing less from AppArmor.
I'm locking down my laptop. I know I can use a firewall to ensure nothing gets through that I didn't catch, and I certainly plan on using one, but in the meantime, I want to know what exactly is running on my system.
nmap localhost returns: Code: james@james-linux:~$ nmap localhost Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-26 23:33 CDT Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): Not shown: 994 closed ports PORT STATE SERVICE 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 2049/tcp open nfs Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
However, I know that localhost goes back to the loopback interface, 127.0.0.1. So, to see what was really open, I ran nmap 192.168.0.108, which is my laptop's IP at the moment.
Code: james@james-linux:~$ nmap 192.168.0.108 Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-26 23:33 CDT Interesting ports on 192.168.0.108: Not shown: 996 closed ports PORT STATE SERVICE 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Now if I understand correctly, I can attribute 139 and 445 to my Samba share. That I'm okay with. What I don't know is 111 and 2049. Does anyone know what these ports are, what's running on them, and how I could turn them off, supposing that they are a security risk?
I'm getting heat from the head networking office that ports 21, 110, and 143 are open. I can telnet to those ports from a remote machine (not localhost) and get a prompt. There does not seem to be anything listening on those ports according to netstat. I've tried using iptables to discard all traffic to a from those ports but I can still telnet to them. This is a lucid desktop machine.
I installed Ubuntu 9.10 recently. I heard that there will be no open ports in the system unless I specifically open one. How do I scan to find a open port in my system.
when i enable my ufw it completely shuts me out and closed my internet connection. i installed firewall configuraiton interface and through it defined rules to accept incoming internet connections on port 80, i can see the rules are there but when i enable my firewall it just shuts me out completely again. when i do(with my firewall enabled):
Code: $ sudo ufw status it gives me: Quote: Status: active
[Code].....
I also messed around with fwbuilder and iptables but since then deleted fwbuilder(besides i just compiled firewall policy and never actually installed it because of errors while trying to install it. Iptables I cleared with:
Well I'm kinda a paranoid person, and got bored and ran a port scan from 0 to 500000 and turned up some interesting results, I was wondering how I find the programs tied to each open port. Its my computer and I'd like to very well know what programs are needing these ports and for what usage.
I am trying to understand why when running nmap against a SonicWALL firewall at a remote location, the SonicWall firewall is saying that most of its 65535 ports are open? I know this cant be correct and remember reading about how some of these network appliances are setup this way to thwart off attacks.
I now have a firewall up and running: almost perfectly. When I use nmap and perform the most comprehensive scan I can think of, it cannot detect any wide open ports (unless bittorent is running) and cannot fingerprint the OS. My last 2 questions about my firewall (I am very happy now) are:
It seems as though Firestarter has been "abandoned" by the developers, and that gufw is more current. Does it really matter which firewall I use because don't they all do the same thing? I like firestarters system tray icon a lot. 2nd question is I have two open|filtered ports. Are these still pretty well protected?
It is very pleasing to see that I have no open ports, because if you were an experienced Windows user like I was, you got used to the fact you were going to have open ports no matter what. Linux's builtin firewall completely destroys the expensive and useless scams they call Norton and McAfee. Linux officially rocks now
Within the documentation of example OpenVPN setups there is a setup that shows an OpenVPN Server with two network interfaces. One interfaces is plugged into the public internet network and the second interface is plugged into the private network.
Normally I assume that it would be best to place the OpenVPN system inside the network behind the router and firewall and open only the ports needed on the router to allow access to the OpenVPN system. All other router ports would be closed. This is the first example they show. To see what I am talking about see page(s) 6-7 here -> [URL]
If one were to use the two interface public facing setup, when would that setup best be justified? I guess if you didn't want to open any ports on the router/firewall then this could be justified but then you have to lock down this public system individually instead of having it protected by the network firewall.
My firestarter is denying connections on ports 80 and 443, despite the fact that I have set rules to allow both the services, and indeed any connection from my gateway (the source of the connections).
Can someone please advise why this might be?I can surf the 'net fine, unfortunately I cannot load facebook, gmail, or another couple of sites that require logins, and I assume this is due to HTTPS not communicating properly.(On the off chance anyone can answer these real quick, I'm also trying to solve my resolution resetting every time I restart, and one of the icons in my KDE panel turning into a widget from an icon every time I restart. Still working on these, but just if anyone knows already).
I'm trying to VPN in somewhere and it doesn't like any outbound connections. I'm doing this for RDP, so can I somehow restrict the VPN connection to only be using the RDP port?
How to open port for transmission or deluge to use torrents, 'cause any of both programs can download any torrent. I've searched on the internet and only find about open ports on hardware router, and that's weird 'cause Deluge on windows works perfect just after installing it and there's no need to open any port on hardware router.
I have an Asus 900 laptop that I put Ubuntu 9.10 on.I know it was made by the Chinese, but why are they trying to hack my pc?I currently put FIRESTARTER a linux firewall on board you can go here to get itNow I can see everyone's IP address and find out where they are and who they are!!
I was wondering if firestarter (software firewall) works out of the box or does it need some kind of configuration in order for it to provide protection? Is firestarter even needed with ubuntu?
im having a bit of a problem with Firestarter, i have Transmission opened and i am downloading a movie but when i check Firestarter i see hundreds and hundreds of Ip's that are blocked, and like 10ip's every second that get blocked.
I am new to Ubuntu and till now I have chosen it to be my favorite distro. I use my laptop in various networks, home, work, school. When I run firestarter the wizard does not give me the option for wireless INTERNET, only ethernet.
I've been using Firestarter for a while and have used it to set-up inbound and outbound policies (which are probably way too restricitve) but since turning on boot logging the other day I have noted that the boot log contains the message:
Code: * Starting the Firestarter firewall [fail] I find this somewhat alarming. I have seen post[URL].ht= firestarter (although have not added it the auto startup list and do not wish to have it start without the root password). What I would like to know is as the computer boots up does it set the iptables to their last setting irrespective of whether firestarter starts or does firestarter need to start to set the iptables and therefore my policies?
I am running Ubuntu 10.10 I have an question about the firewall Firestarter, when checking the firewall it told me there are 9 serious incoming connections what must I do with this info. Inbound is normally blocked as standard i have also see that someone with port 1234 and 12345 have trying to attempt mine system but failed all trojan ports are fully blocked.
I have a question about anybody who knows how to use firestarter firewall. I'm trying to get access to a Macromedia flash site that needs port 1935 open. While it is not a big issue to open the port, I want to do it just for the server that needs it. I do not want to open it to everybody else. I wonder if anybody has any idea of how to do this. Normally I just go to www.redhotpawn.com which is a chess playing site. I then pressed on the blitz button to go into a game. But it tells me access denied, and then the site has a warning about what it means. The site that mentions that if this is the case then this port has to be open. I don't have a problem of opening the port for the one site as I trust it. But I don't want the port open for every site. I know I can go into the firewall settings and under policy I click on the allow service port for. I put in the port number, but then I don't want to select all. I want to find out what the IP, host or network that I need to allow. Basically I only want to open the port to the one site.
Running Fedora 10 and 11. Using Firestarter firewall.Does anyone know where Firestarter gets the Events which it displays?I do not find anything in /etc/firestarter/.I suspect Firestarter looks in a log file which Fedora keeps somewhere.
I am running ubuntu 10.10. I recently enabled the firewall and installed Firestarter to configure it. Bad decision apparently. I can't connect to the internet using Firefox unless I first stop the firewall using Firestarter. After I do that, Firefox connects to the internet just fine.
If I uninstall Firestarter, will the ubuntu firewall function as it did originally, before I configured it? Or will it continue to function the way it does right now, which doesn't allow me to connect to the internet?
Just want to stealth ports on my laptop. Had problems with firestarter when I installed in on 10.10. Set Firestater back to defaults and then dumped it with:
Code: sudo apt-get purge firestarter Set up Gufw to defaults and now am not sure what I am seeing with iptables. iptables -L shows .....
Do these settings look correct for default settings for Gufw? or do I still have some problems with the old firestarter settings not being removed. All I want is all ports stealthed. I know that ping is enabled but I believe that is a default setting in ufw. Could I restore iptables to default with:
Code: sudo iptables -F and then enable Gufw and set default?
I am running Firestarter on Ubuntu 9.10 64 bit. I have noticed several times that after closing all web apps (Firefox, Thunderbird) that some entries remain under the heading "Active connections" on the Firestarter "Status" tab. Often these show no source program. Currently I have 2 showing which show Firefox as the source. These persist after Firefox is shut down. I have verified that no Firfox process is running. And both of the IPs point to google.I have Disconnected eht0 and they still show. I have logged out and back in and they still show. I must reboot the machine to make these entries go away. Which makes me think perhaps this is a bug in Firestarter(?) Is there another way I can identify truly active connections?
I gave a presentation on the Firestarter Firewall interface at my local LUG meeting tonight (another member followed with a presentation on iptables).You can download a copy of the handout from this link.
