ASL 3.2.8 Firewall changes (alpha)
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
ASL 3.2.8 Firewall changes (alpha)
* Firewall changes (alpha)
Basic ACL list support is being evaluated in ASL, these lists allow IP addresses to be included in a port access list. For example, you could create an access list for SSH that would only allow 3 IPs to connect. As this is an alpha feature, it is prone to change without notice, and currently there is no web based interface to this function.
Lists are stored in this directory:
/etc/asl/firewall
1) create a file in /etc/asl/firewall directory using the format in #2 below
2) Naming convention for file is: INPUT-<name>-<protocol>-<port>-any
example: INPUT-sshd-tcp-22-any
3) list IP's, one pre line in this file
1.2.3.4
5.6.7.8
4) Ensure that you are not overriding this ACL with FW_INBOUND_TCP_SERVICES, if you allow a port in that option that will override the ACL. If you want to use an ACL for a port, do NOT list the port in FW_INBOUND_TCP_SERVICES
5) reload the firewall policy with:
/etc/init.d/asl-firewall restart
Basic ACL list support is being evaluated in ASL, these lists allow IP addresses to be included in a port access list. For example, you could create an access list for SSH that would only allow 3 IPs to connect. As this is an alpha feature, it is prone to change without notice, and currently there is no web based interface to this function.
Lists are stored in this directory:
/etc/asl/firewall
1) create a file in /etc/asl/firewall directory using the format in #2 below
2) Naming convention for file is: INPUT-<name>-<protocol>-<port>-any
example: INPUT-sshd-tcp-22-any
3) list IP's, one pre line in this file
1.2.3.4
5.6.7.8
4) Ensure that you are not overriding this ACL with FW_INBOUND_TCP_SERVICES, if you allow a port in that option that will override the ACL. If you want to use an ACL for a port, do NOT list the port in FW_INBOUND_TCP_SERVICES
5) reload the firewall policy with:
/etc/init.d/asl-firewall restart
Re: ASL 3.2.8 Firewall changes (alpha)
Is this feature (still) working?
We have tried to set it up on a pristine ASL firewall (no custom adjustments at all). Created the file /etc/asl/firewall/INPUT-mysqld-tcp-3306-any, and placed three IP addresses, each on their own line. Restarting the asl-firewall service does not place ANY rules that mention port 3306.
# asl -v
ASL Version 3.2.11-28.el5.art: CentOS 5 (SUPPORTED)
We certainly like it if there was a possibility to manage basic additional firewall rules (such as only allowing a couple of IP's for mysql, snmpd etc.) without having to go through ASL web.
We have tried to set it up on a pristine ASL firewall (no custom adjustments at all). Created the file /etc/asl/firewall/INPUT-mysqld-tcp-3306-any, and placed three IP addresses, each on their own line. Restarting the asl-firewall service does not place ANY rules that mention port 3306.
# asl -v
ASL Version 3.2.11-28.el5.art: CentOS 5 (SUPPORTED)
We certainly like it if there was a possibility to manage basic additional firewall rules (such as only allowing a couple of IP's for mysql, snmpd etc.) without having to go through ASL web.
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL 3.2.8 Firewall changes (alpha)
Whats the output of "iptables -L -n"
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ASL 3.2.8 Firewall changes (alpha)
mikeshinn wrote:Whats the output of "iptables -L -n"
Code: Select all
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-SMALLPACKETS ah -- 0.0.0.0/0 0.0.0.0/0 length 0:35
ASL-SMALLPACKETS esp -- 0.0.0.0/0 0.0.0.0/0 length 0:49
ASL-SMALLPACKETS 47 -- 0.0.0.0/0 0.0.0.0/0 length 0:39
ASL-SMALLPACKETS 30 -- 0.0.0.0/0 0.0.0.0/0 length 0:31
ASL-SMALLPACKETS icmp -- 0.0.0.0/0 0.0.0.0/0 length 0:27
ASL-SMALLPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 length 0:39
ASL-SMALLPACKETS udp -- 0.0.0.0/0 0.0.0.0/0 length 0:27
ASL-BADPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=128
ASL-BADPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=64
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x2B
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0D
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1C
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x03
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x29/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x22/0x22
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
ASL-IGNORE-BC all -- 0.0.0.0/0 224.0.0.0/24
ASL-IGNORE-BC udp -- 0.0.0.0/0 255.255.255.255
ASL-IGNORE-BC tcp -- 0.0.0.0/0 255.255.255.255
ASL-FRAGMENTS all -f 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-TORTIXD-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-Firewall-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASL-SMTP_OUT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ASL-SMTP_OUT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ASL-PLESK-UPDATES tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5224 state NEW
ASL-UPDATES tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ASL-FRAGMENTS all -f 0.0.0.0/0 0.0.0.0/0
ASL-SPAMASSASSIN-UPDATES all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-BADPACKETS (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_BADPACKET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-BLACKLIST (1 references)
target prot opt source destination
Chain ASL-BLACKLIST-DROP-LOG (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_BLACKLIST_BLOCK '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-FRAGMENTS (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_FRAGMENT '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-Firewall-INPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:30000
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-GEO-BLACKLIST (1 references)
target prot opt source destination
Chain ASL-GEO-BLACKLIST-DROP-LOG (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_GEO_BLOCK '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-IGNORE-BC (3 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-PLESK-UPDATES (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 77.245.23.80 tcp dpt:5224 state NEW
Chain ASL-PORTSCAN (21 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_PORTSCAN '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-SMALLPACKETS (7 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_TOOSMALL '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-SMTP_OUT (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 2521
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 owner UID match 2521
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 89
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 owner UID match 89
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 owner UID match 0
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:465
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 15 level 6 prefix `ASL_SMTP_OUT '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ASL-SPAMASSASSIN-UPDATES (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:24441 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:24441 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2703 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6277 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6277 state NEW
Chain ASL-TORTIXD-ACL (1 references)
target prot opt source destination
Chain ASL-UPDATES (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 80.82.124.228 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 69.20.6.166 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.195.110 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 208.68.233.251 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.112.216 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.166.51 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 198.71.51.132 tcp dpt:443 state NEW
# ll /etc/asl/firewall/
total 8
-rw-r--r-- 1 root root 44 Apr 16 19:09 INPUT-mysqld-tcp-3306-any
-rwx------ 1 tortix root 20 Apr 15 21:42 mta-output-acl
# grep FW_ /etc/asl/config
FW_INBOUND_TCP_SERVICES="22,25,80,443,465,110,143,993,995,587,8443,30000"
FW_INBOUND_UDP_SERVICES=""
FW_OUTPUT_MTA="yes"
FW_OUTPUT_TCP_SERVICES="no"
FW_OUTPUT_UDP_SERVICES="no"
FW_LASSO="no"
FW_LASSO_LOG="yes"
FW_DSHIELD="no"
FW_DSHIELD_LOG="yes"
FW_TOR="no"
FW_TOR_LOG="yes"
FW_PORTSCAN="yes"
FW_BAD_PACKETS="yes"
FW_SMALL_PACKETS="yes"
FW_FRAGMENTS="yes"
FW_DROP_INVALID="yes"
FW_DROP_INVALID_LOG="no"
FW_LOG_BLACKLIST_DROP="yes"
FW_LOG_GEOBLOCK_DROP="yes"
FW_IGNORE_BROADCASTS="yes"
FW_ACCEPT_REDIRECTS="no"
FW_ACCEPT_SOURCE_ROUTE="no"
FW_ICMP_IGNORE_ALL="no"
FW_ICMP_IGNORE_BROADCASTS="yes"
FW_IGNORE_ICMP_BOGUS="yes"
FW_IPV4_FORWARD="no"
FW_IPV6_FORWARD="no"
FW_PROXY_ARP="no"
FW_RP_FILTER="no"
FW_SYN_COOKIES="yes"
FW_TCP_ECN="no"
FW_TCP_TIMESTAMPS="yes"
FW_TCP_WINDOW_SCALING="yes"
FW_PLESK_UPDATES="yes"
FW_SPAMASSASSIN_UPDATES="yes"
# cat /etc/asl/firewall/INPUT-mysqld-tcp-3306-any
1.2.3.4
2.3.4.5
3.4.5.6
Verified from remote host (i.e. "1.2.3.4") that connecting to MySQL is not allowed:
Code: Select all
remotehost# telnet aslhost 3306
Trying <ip>...
telnet: connect to address <ip>: Connection timed out
Lemonbit Internet Dedicated Server Management
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: ASL 3.2.8 Firewall changes (alpha)
Example of it in use:
# cat /etc/asl/firewall/INPUT-mysql-tcp-3306-any-acl
1.2.3.4
4.5.6.7
# /etc/init.d/asl-firewall restart
# iptables-save |grep mysql
-A LOCAL-3-mysql-ACL -s 1.2.3.4/32 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
-A LOCAL-3-mysql-ACL -s 4.5.6/7/32 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
-A LOCAL-3-mysql-ACL -j DROP
# cat /etc/asl/firewall/INPUT-mysql-tcp-3306-any-acl
1.2.3.4
4.5.6.7
# /etc/init.d/asl-firewall restart
# iptables-save |grep mysql
-A LOCAL-3-mysql-ACL -s 1.2.3.4/32 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
-A LOCAL-3-mysql-ACL -s 4.5.6/7/32 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
-A LOCAL-3-mysql-ACL -j DROP
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL 3.2.8 Firewall changes (alpha)
That doesnt look like, what version of ASL is installed on the system? And is this a virtual machine or dedicated? And if the former, what virtualization solution is installed?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ASL 3.2.8 Firewall changes (alpha)
What do you mean by "that doesn't look like"?mikeshinn wrote:That doesnt look like, what version of ASL is installed on the system? And is this a virtual machine or dedicated? And if the former, what virtualization solution is installed?
This machine is a Xen virtual server with CentOS 5 64-bit and ASL 3.2.11-28 running the ASL kernel 2.6.32.59-28.
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL 3.2.8 Firewall changes (alpha)
That doesnt look right.What do you mean by "that doesn't look like"?
Can you reset your firewall for me, just run these commands:
mv /etc/asl/firewall/running.fw /root
asl -s -f
And post the output of these:
asl -s -f
iptables -L -n
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ASL 3.2.8 Firewall changes (alpha)
Code: Select all
# mv /etc/asl/firewall/running.fw ~
# ll /etc/asl/firewall/
total 8
-rw-r--r-- 1 root root 44 Apr 16 21:26 INPUT-mysql-tcp-3306-any
-rwx------ 1 tortix root 20 Apr 15 21:42 mta-output-acl
Code: Select all
# asl -s -f
Starting Atomic Secured Linux scan, please be patient...
Checking Kernel security settings
ASL kernel: detected [OK]
KERNEXEC protections: not detected [HIGH]
UDEREF protections: not detected [HIGH]
Runtime module loading: disabled [OK]
GRsecurity administrative password: not set [INFO]
GRsecurity ACL database: not found [INFO]
Executable anonymous mapping: no [OK]
Executable bss: no [OK]
Executable data: no [OK]
Executable heap: no [OK]
Executable stack: no [OK]
Executable anonymous mapping (mprotect): no [OK]
Executable bss (mprotect): no [OK]
Executable data (mprotect): no [OK]
Executable heap (mprotect): no [OK]
Executable shared library bss (mprotect): no [OK]
Executable shared library data (mprotect): no [OK]
Executable stack (mprotect): no [OK]
Anonymous mapping randomisation test: no [OK]
Heap randomisation test (ET_EXEC): no [OK]
Heap randomisation test (ET_DYN): no [OK]
Main executable randomisation (ET_EXEC): no [OK]
Shared library randomisation test: no [OK]
Stack randomisation test (SEGMEXEC): no [OK]
Stack randomisation test (PAGEEXEC): no [OK]
Executable shared library bss: no [OK]
Executable shared library data: no [OK]
Writable text segments: no [OK]
Kernel Enforced Security Policies
Trusted Path Execution(TPE): enforced [OK]
TPE Mode: Unless Deny, Allow [INFO]
Disable Privileged I/O: enforced [OK]
Audit mount() events: not enforced [INFO]
Audit chdir() events: not enforced [INFO]
Audit ptrace() events: enforced [OK]
Audit text relocation events: not enforced [INFO]
Restrict chroot() capabilities: enforced [OK]
Chroot restrictions, deny chmod(): enforced [OK]
Chroot restrictions, deny chroot(): enforced [OK]
Chroot restrictions, deny fchdir(): enforced [OK]
Chroot restrictions, deny mknod(): enforced [OK]
Chroot restrictions, deny mount(): enforced [OK]
Chroot restrictions, deny pivot(): enforced [OK]
Chroot restrictions, deny external shmem access: enforced[OK]
Chroot restrictions, deny sysctl: enforced [OK]
Chroot restrictions, deny unix domain sockets: enforced [OK]
Chroot restrictions, set cwd to chroot dir: enforced [OK]
Chroot restrictions, process controls: enforced [OK]
Restrict dmesg: enforced [OK]
Enhanced FIFO restrictions: enforced [OK]
Fork() failure logging: enforced [OK]
Harden ptrace(): not enforced [MODERATE]
Network Stack, IP Blackhole policy: enforced [OK]
Linking Restrictions: enforced [OK]
Resource Logging: enforced [OK]
RWX map Logging: enforced [OK]
Signal Logging: enforced [OK]
Timechange Logging: enforced [OK]
Checking General security settings
Checking for unnecessary services
Service FreeWnn: disabled [OK]
Service annacron: disabled [OK]
Service apmd: disabled [OK]
Service autofs: disabled [OK]
Service avahi-daemon: disabled [OK]
Service avahi-dnsconfd: disabled [OK]
Service bluetooth: disabled [OK]
Service canna: disabled [OK]
Service cups: disabled [OK]
Service cups-config-daemon: disabled [OK]
Service gpm: disabled [OK]
Service haldaemon: disabled [OK]
Service hidd: disabled [OK]
Service hplip: disabled [OK]
Service iiim: disabled [OK]
Service isdn: disabled [OK]
Service kdump: disabled [OK]
Service mDNSResponder: disabled [OK]
Service mcstrans: disabled [OK]
Service nfs: disabled [OK]
Service nfslock: disabled [OK]
Service nifd: disabled [OK]
Service pcscd: disabled [OK]
Service portmap: disabled [OK]
Service rpcidmapd: disabled [OK]
Service sbadm: disabled [OK]
Service xfs: disabled [OK]
Service X11: disabled [OK]
Checking for End of Life (EOL) operating systems
centos/5: Supported [OK]
Checking for POSIX ACL support: detected [OK]
Checking for updater: yum detected [OK]
Checking for updates: 1 found [CRITICAL]
Checking for Superuser accounts (UID0)
Checking for Suspicious cron jobs
Checking for non-secure services
Telnet: not detected [OK]
Rlogin: not detected [OK]
Rsh: not detected [OK]
Checking system logging
Syslogd: detected [OK]
Klogd: detected [OK]
Checking General Plesk settings
Plesk SQL Injection vulnerability SA26741: not detected [OK]
Plesk SQL Injection vulnerability CVE-2011-4734: not dete[OK]
Proftp Vulnerability SA33842: not detected [OK]
Proftp Vulnerability SA42052: not detected [OK]
Verify SSLv2 disabled in Plesk Daemon: verified [OK]
Verify TLS enabled in proftp: enabled [OK]
Verify ClamAV enabled in proftp: enabled [OK]
Set proftp scoreboard to default: yes [OK]
Checking for weak SMTP_AUTH passwords: 0 found [OK]
Verify SSLv2 disabled in Qmail: verified [OK]
Verify SSLv2 disabled in Courier IMAP: verified [OK]
Verify SSLv2 disabled in Courier POP3d: verified [OK]
Verify expose_php set to off: enforced [OK]
Checking mod_security settings
Checking for mod_security installation: installed [OK]
mod_security set to: enabled [OK]
Server signature set to: Apache [OK]
SecUploadDir set to: /var/asl/data/suspicious [OK]
SecUploadKeepFiles set to: off [OK]
Logfile set to: audit_log [OK]
Logging set to: Concurrent [OK]
Audit Logging to: /var/asl/data/audit [OK]
Logging elements set to: ABIFHZ [OK]
SecRequestBodyInMemoryLimit set to: 131072 [OK]
SecRequestBodyLimit set to: 134217728 [OK]
SecResponseBodyLimitAction set to: ProcessPartial [OK]
SecDataDir set to: /var/asl/data/msa [OK]
SecTmpDir set to: /tmp [OK]
Checking rule class settings
RBL Ruleset: off [LOW]
Bogus Search Engine Ruleset: off [HIGH]
Autowhitelist Search Engine Ruleset: off [LOW]
Antievasion Ruleset: on [OK]
Strict Multiform Ruleset: off [MODERATE]
Whitelist Ruleset: off [OK]
Advanced Antievasion Ruleset: off [HIGH]
Slow Denial of Service Protection: on [OK]
Exclude Ruleset: on [OK]
Anti-Malware Ruleset: on [OK]
Generic Attack Ruleset: on [OK]
Advanced Attack Ruleset: on [OK]
Data Loss Protection Ruleset: off [MODERATE]
Brute Force Protection Ruleset: on [OK]
Malicious Useragents Ruleset: on [OK]
Anti-Spam Ruleset: on [OK]
Anti-Spam URI RBL Ruleset: off [LOW]
Rootkit Detection Ruleset: on [OK]
Reconnaissance Attacks Ruleset: on [OK]
Data Leak Prevention Ruleset: on [OK]
Just In Time Patches: on [OK]
Malicious Output Removal Ruleset: on [OK]
Malicious Output Detector: on [OK]
Web Malware Upload Scanner: on [OK]
Checking for disabled rules
Checking php settings
Checking for php installation: installed [OK]
Enforce safe_mode: enforced [OK]
Disable register_globals: enforced [OK]
Disable URL fopen: enforced [OK]
Disable URL include: enforced [OK]
Disable expose_php: not enforced [HIGH]
Checking for High-Risk functions
Function curl_exec: not allowed [OK]
Function curl_multi_exec: not allowed [OK]
Function dl: not allowed [OK]
Function exec: not allowed [OK]
Function fsockopen: allowed [HIGH]
Function passthru: not allowed [OK]
Function pcntl_exec: not allowed [OK]
Function pfsockopen: not allowed [OK]
Function popen: not allowed [OK]
Function posix_kill: not allowed [OK]
Function posix_mkfifo: not allowed [OK]
Function posix_setuid: not allowed [OK]
Function proc_close: not allowed [OK]
Function proc_open: not allowed [OK]
Function proc_terminate: not allowed [OK]
Function shell_exec: not allowed [OK]
Function system: not allowed [OK]
Checking for Moderate-Risk functions
Function ftp_exec: not allowed [OK]
Function leak: not allowed [OK]
Function posix_setpgid: not allowed [OK]
Function posix_setsid: not allowed [OK]
Function proc_get_status: not allowed [OK]
Function proc_nice: not allowed [OK]
Function show_source: not allowed [OK]
Checking for Low-Risk functions
Function escapeshellcmd: allowed [LOW]
Function phpinfo: not allowed [OK]
Checking executable stack flag on PHP extensions
/usr/lib64/php/ioncube/ioncube_loader_lin_5.3.so : [OK]
Checking ossec-hids settings
Checking for ossec-hids installation: installed [OK]
ossec-hids set to: enabled [OK]
OSSEC is configured in server mode.
Checking for server installation: installed [OK]
Enable email notification: enabled [OK]
Notifications to address: redacted [OK]
Notifications from address: redacted [OK]
SMTP server: 127.0.0.1 [OK]
Max email per hour setting: 1 [OK]
Active Response: enabled [OK]
Active Response timeout: 600 [OK]
Verifying OSSEC whitelists
checking: redacted [OK]
Excessive whitelists not detected: redacted [OK]
Checking for monitored log files
/var/log/messages: monitored [OK]
/var/log/secure: monitored [OK]
/var/log/maillog: monitored [OK]
/usr/local/psa/var/log/maillog: monitored [OK]
/var/log/httpd/access_log: monitored [OK]
/usr/local/psa/admin/logs/httpsd_access_log: monitore[OK]
/var/log/httpd/audit_log: monitored [OK]
/var/log/httpd/error_log: monitored [OK]
/var/log/mysqld.log: monitored [OK]
Reloading ossec-hids: [ OK ]
Checking rkhunter settings
Checking for rkhunter installation: installed [OK]
rkhunter set to: enabled [OK]
Notifications sent to: redacted [OK]
SSH root login check: enabled [OK]
Detected Plesk Environment
ftp_psa : enabled [OK]
poppassd_psa : enabled [OK]
smtp_psa : enabled [OK]
smtps_psa : enabled [OK]
submission_psa : enabled [OK]
Checking ssh settings
Enforce Protocol Version 2: enforced [OK]
Strict modes enabled: enforced [OK]
Ignore .rhosts: enforced [OK]
Enforce Public Key authentication for users: enforced [OK]
Checking Admin users
Checking redacted directory [OK]
Checking redacted authorized_keys: found [OK]
Disable Root Logins: no [HIGH]
Disable Password Authentication: yes [OK]
Enable Privilege separation: enabled [OK]
Disallow GSSAPIAuthentication: enforced [OK]
Disallow GSSAPICleanupCredentials: enforced [OK]
SSH Banner: disabled [INFO]
Enable UseDNS: enforced [OK]
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Checking httpd settings
Verify HTTP TRACE disabled: verified [OK]
Verify SSLv2 disabled: verified [OK]
Checking mod_evasive settings
Checking for mod_evasive installation: installed [OK]
mod_evasive set to: enabled [OK]
DOSHashTableSize set to: 4096 [OK]
DOSPageCount set to: 5 [OK]
DOSSiteCount set to: 200 [OK]
DOSPageInterval set to: 2 [OK]
DOSSiteInterval set to: 2 [OK]
DOSBlockingPeriod set to: 25 [OK]
checking: redacted [OK]
Checking Mysql security settings
mysql security policy set to: enforced [OK]
Mysql Local LOAD DATA: disabled [OK]
Mysql Log Errors: enabled [OK]
Mysql Log authentication failures: enabled [OK]
Mysql symbolic links : disabled [OK]
Mysql query caching: enabled [OK]
Restarting clamav, this could take a moment...
Checking clamav settings
Checking for clamav installation: installed [OK]
ClamAV set to: enabled [OK]
Clamd listen address: 127.0.0.1 [OK]
Clamd log to syslog: yes [OK]
Clamav is in: application-only mode
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon: [ OK ]
Checking psmon settings
Checking for psmon installation: installed [OK]
psmon set to: enabled [OK]
Notifications to: redacted [OK]
From line set to: redacted [OK]
Checking System services monitored by psmon
clamd: monitored [OK]
courier-imap: monitored [OK]
crond: monitored [OK]
httpd: monitored [OK]
mysqld: monitored [OK]
named: monitored [OK]
spamassassin: monitored [OK]
sshd: monitored [OK]
xinetd: monitored [OK]
tortixd: monitored [OK]
ossec-dbd: monitored [OK]
Stopping psmon: [ OK ]
Starting psmon: [ OK ]
Generating Report: Complete
Code: Select all
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-SMALLPACKETS ah -- 0.0.0.0/0 0.0.0.0/0 length 0:35
ASL-SMALLPACKETS esp -- 0.0.0.0/0 0.0.0.0/0 length 0:49
ASL-SMALLPACKETS 47 -- 0.0.0.0/0 0.0.0.0/0 length 0:39
ASL-SMALLPACKETS 30 -- 0.0.0.0/0 0.0.0.0/0 length 0:31
ASL-SMALLPACKETS icmp -- 0.0.0.0/0 0.0.0.0/0 length 0:27
ASL-SMALLPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 length 0:39
ASL-SMALLPACKETS udp -- 0.0.0.0/0 0.0.0.0/0 length 0:27
ASL-BADPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=128
ASL-BADPACKETS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=64
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x2B
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0D
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1C
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x03
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x29/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x22/0x22
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
ASL-IGNORE-BC all -- 0.0.0.0/0 224.0.0.0/24
ASL-IGNORE-BC udp -- 0.0.0.0/0 255.255.255.255
ASL-IGNORE-BC tcp -- 0.0.0.0/0 255.255.255.255
ASL-FRAGMENTS all -f 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-TORTIXD-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-Firewall-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASL-SMTP_OUT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ASL-SMTP_OUT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ASL-PLESK-UPDATES tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5224 state NEW
ASL-UPDATES tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ASL-FRAGMENTS all -f 0.0.0.0/0 0.0.0.0/0
ASL-SPAMASSASSIN-UPDATES all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-ACTIVE-RESPONSE (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-BADPACKETS (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_BADPACKET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-BLACKLIST (1 references)
target prot opt source destination
Chain ASL-BLACKLIST-DROP-LOG (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_BLACKLIST_BLOCK '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-FRAGMENTS (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_FRAGMENT '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-Firewall-INPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:30000
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-GEO-BLACKLIST (1 references)
target prot opt source destination
Chain ASL-GEO-BLACKLIST-DROP-LOG (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_GEO_BLOCK '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-IGNORE-BC (3 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-PLESK-UPDATES (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 77.245.23.80 tcp dpt:5224 state NEW
Chain ASL-PORTSCAN (21 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_PORTSCAN '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-SMALLPACKETS (7 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_TOOSMALL '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-SMTP_OUT (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 2521
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 owner UID match 2521
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 89
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 owner UID match 89
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 owner UID match 0
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:465
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 15 level 6 prefix `ASL_SMTP_OUT '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ASL-SPAMASSASSIN-UPDATES (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:24441 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:24441 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2703 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6277 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6277 state NEW
Chain ASL-TORTIXD-ACL (1 references)
target prot opt source destination
Chain ASL-UPDATES (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 80.82.124.228 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 69.20.6.166 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.195.110 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 208.68.233.251 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.112.216 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.166.51 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 198.71.51.132 tcp dpt:443 state NEW
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL 3.2.8 Firewall changes (alpha)
OK, I think I know what it is, the filename convention:
Change this:
INPUT-mysql-tcp-3306-any
To this:
INPUT-mysql-tcp-3306-any-acl
You must have "-acl" at the end, or it wont process it. The naming convention has changed (this is an alpha feature afterall and it wouldnt be any fun if we didnt change things. No seriously, the name needed to change so we could support other chain types and easily identify these files):
Naming convention for file is now:
INPUT-<name>-<protocol>-<port>-any-acl
Example:
INPUT-mysql-tcp-3306-any-acl
Fields in filename you can change:
INPUT - this defines the chain it goes into, INPUT is the only supported chain right now. In the future we will add support for other chains.
name - an arbitrary alpha numeric name, this must be unique as this will be used to name the chain and you cant have duplicate chain names. Example: smtp1
protocol - any supported iptables protocol on the system that takes a port as an argument.
port - 1-65535
Change this:
INPUT-mysql-tcp-3306-any
To this:
INPUT-mysql-tcp-3306-any-acl
You must have "-acl" at the end, or it wont process it. The naming convention has changed (this is an alpha feature afterall and it wouldnt be any fun if we didnt change things. No seriously, the name needed to change so we could support other chain types and easily identify these files):
Naming convention for file is now:
INPUT-<name>-<protocol>-<port>-any-acl
Example:
INPUT-mysql-tcp-3306-any-acl
Fields in filename you can change:
INPUT - this defines the chain it goes into, INPUT is the only supported chain right now. In the future we will add support for other chains.
name - an arbitrary alpha numeric name, this must be unique as this will be used to name the chain and you cant have duplicate chain names. Example: smtp1
protocol - any supported iptables protocol on the system that takes a port as an argument.
port - 1-65535
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ASL 3.2.8 Firewall changes (alpha)
Great, that was it. Thank you for your help, I didn't know the file name convention changed.mikeshinn wrote:OK, I think I know what it is, the filename convention:
Change this:
INPUT-mysql-tcp-3306-any
To this:
INPUT-mysql-tcp-3306-any-acl
Wouldn't it be a good idea to create a wiki page about this feature to prevent situations like these? Of course, I'd be glad to contribute to the wiki page once I've tested more with this feature.
Just one thing, you've said that the firewall rules "didn't look right", what exactly didn't look right according to you? Since you are THE firewall guru on this forums I am very interested to read your reply. This is a test setup with a 'standard' ASL firewall (the only customizations that were made, were made by switching FW_* settings in the ASL configuration).
Lemonbit Internet Dedicated Server Management
Re: ASL 3.2.8 Firewall changes (alpha)
I noticed that you will also need to add the local IP's in the INPUT ACL for MySQL, otherwise applications such as ASL Web that use TCP mysql connections won't be able to connect.
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL 3.2.8 Firewall changes (alpha)
The invalid rules were missing, so my guess is a stored config existed.Just one thing, you've said that the firewall rules "didn't look right", what exactly didn't look right according to you? Since you are THE firewall guru on this forums I am very interested to read your reply. This is a test setup with a 'standard' ASL firewall (the only customizations that were made, were made by switching FW_* settings in the ASL configuration).
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: ASL 3.2.8 Firewall changes (alpha)
Well theres no point on making a wiki page for this since I know its going to change again. More needs to be sorted out here, like multiple interface/multiple port tuples, chains, policies etc. This was really an exercise in trying to find a more intuitive way to work with policies.
Re: ASL 3.2.8 Firewall changes (alpha)
Alright. How do you suggest I keep myself informed about changes to this feature? I really welcome this feature and would be glad to contribute (by testing etc.), since it is a great and intuitive way to deal with simple custom firewall rules, and it doesn't make you dependent on the Web GUI.scott wrote:Well theres no point on making a wiki page for this since I know its going to change again. More needs to be sorted out here, like multiple interface/multiple port tuples, chains, policies etc. This was really an exercise in trying to find a more intuitive way to work with policies.
Lemonbit Internet Dedicated Server Management