Date: Thu, 15 Dec 2016 20:09:05 +0100 From: marcel <marcel.plouf@gmail.com> To: Ernie Luzar <luzar722@gmail.com> Cc: jail@freebsd.org Subject: Re: Closing ports in jail with ipfw Message-ID: <20161215200905.0f921a0a@marcel-laptop.lan> In-Reply-To: <5851F2ED.3070505@gmail.com> References: <20161117233607.3430afd4@marcel-laptop.lan> <5844B557.7050304@gmail.com> <20161214114239.60b7fb48@marcel-laptop.lan> <5851F2ED.3070505@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Thu, 15 Dec 2016 09:33:33 +0800, Ernie Luzar <luzar722@gmail.com> a =C3=A9crit : > marcel wrote: > > Le Mon, 05 Dec 2016 08:31:19 +0800, > > Ernie Luzar <luzar722@gmail.com> a =C3=A9crit : > > =20 > >> marcel wrote: =20 > >>> Hi there, > >>> > >>> I've created a jail and when I do a nmap on his IP, I can see that > >>> port 25 and 22 are open but I don't want. So i've tried to create > >>> an IPFW rule by adding 'ipwf -q add 00290 deny all from router to > >>> jail' to my host ipfw conf file and applied it but ports jail are > >>> still open. How can I close or open the ports of my jail ? > >>> > >>> Thanks ! =20 > >> You can not run nmap on the host targeting the jails ip. Doing so > >> only shows you open ports on the host. You have to run nmap from a > >> computer on a different public ip address targeting the public ip > >> address assigned to the jail. If jail is using a non-routeable ip > >> address, nmap is useless in looking for jail open ports. =20 > >=20 > > Hi ! Sorry for silence, I was not able to answer. Yeah I understand, > > maybe netstat -an in jail is more useful ? When I do that I see > > port 25 and 514 are open but if I haven't looked yet what is this > > port 514 I imagine both of these ports are not closable (or it's > > not advised) isnt'it ?=20 > > =20 >=20 > On the host port 25 is sendmail and port 514 is syslog. >=20 > https://www.grc.com/port_514.htm >=20 > The syslog server opens port 514 and listens for incoming syslog > event notifications (carried by UDP protocol packets) generated by > remote syslog clients. Any number of client devices can be programmed > to send syslog event messages to whatever servers they choose. >=20 > This defaults to off on clean install of Freebsd. > You must have a statement in your /ect/rc.conf file that enables it. >=20 >=20 Okay thanks for clarifications for port 514. When you say "This defaults to off on clean install of Freebsd" you meant that this is the default on the default install but we can put it off on a clean modified freebsd install ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161215200905.0f921a0a>