Re: More UDP drama, and firewalling questions.
Posted: Thu Jun 17, 2010 4:59 pm
Changing the Plesk Accept all to Deny all is a one-click thing.
I don't actually have the Plesk firewall anywhere so I can't be more specific than this:
You'll see a list or various rules, with red, green or amber icons next to them.
After the various rules there will be one final rule, with a description that means something along the lines of "Policy for everything else". It will have a green icon. Click on the icon. It turns to red. You are now on deny everything by default.
BUT.....guess what? You then have a problem because passive FTP will stop working (passive ftp requires some ports to be open above 1024 -- which you just closed by switching the policy to deny all!).
So don't bother and just go the APF route. APF is smart and knows about FTP, and deals with such issues for you.
I don't honestly know the best way to installed apf when you have the plesk firewall installed first. I would say remove the plesk module (within the control panel - you can just switch it off or remove the module in the modules section [not the updater]-- again I don't remember in detail - have a look).
The install of apf is covered in howtos all over the web. Here's one: http://www.webhostgear.com/61.html
The key thing is to open the ports you want to allow the world to access via the IG_TCP_CPORTS and IG_UDP_CPORTS lines in /etc/apf/conf.apf.
The ports listed in the howto I linked to are of no use.
For a Plesk setup, something like this is better (again in /etc/apf/conf.apf):
IG_TCP_CPORTS="20,21,25,53,80,110,143,443,465,993,995,8443"
IG_UDP_CPORTS="53"
All the above ports will then be accessible to anyone, from any source.
Notice the distinct lack of port 22 (ssh) and 30000 (ASL)?
To open ports to a limited range of IPs, you use the /etc/apf/allow_hosts.rules file.
In here you might add a line like:
d=3310:s=aaa.bbb.ccc.ddd
where d=destination port (mysql in this case) and aaa.bbb.ccc.ddd is your DSL connection's static IP.
Or just add a line with your static IP and nothing else, which allows all ports from that IP.
The syntax can be found at the start of that file.
There's also an /etc/apf/deny_hosts.rules where you can add a list of IPs you want to block totally, one per line.
And in /etc/apf/conf.apf you'll find loads of things you can enable to download lists of bad IPs automatically.
Read through that configuration file. Don't change things you don't understand.
Some things I would suggest:
SET_REFRESH="0"
SET_TRIM="0"
By default, apf flushes (clears) all rules after 5 minutes and leaves your firewall down. This is to make sure you don't lock yourself out after installing for the first time.
Once you are sure all is well, edit /etc/apf/conf.apf and set DEVEL_MODE=0 instead of 1.
Don't forget to make the modification I mentioned in an earlier post to allow it to work with asl.
To load apf and its rules, use:
apf -s
To flush (clear) all rules, use
apf -f
Note that if you have a lot of filewall rules (e.g. a long deny list) it can take a long time to load.
********** IF YOU HAVE A VPS **********
1) Do not load loads of firewall rules. Not all rules may load (there is often a limit), including a vital deny all one at the end that you definitely dont want to miss off!
2) On Virtuozzo VPSes, set SET_MONOKERN=1
3) RAB probably won't work on a Virtuozzo VPS as the required kernel module isn't loaded. I've tried and failed on this.
As with all messing around, you are strongly encouraged to experiment on a non-live server before you begin, so that you can get a feel for how things work.
Remember that Microsoft's VirtualPC is free, and you can load the distro of your choice in it and play with APF there first. You can also load Plesk with the one-domain free key etc.
Microsoft's VirtualPC is not the best, but it is free, and sometimes nothing is better than free.
** Warning: All of the above was one of my usual BrainDumps with no checking to make sure I'm right about anything. Use at your own risk. If you fry your server or lock yourself out or get hacked or anything at all bad happens then it is your own fault for reading this, and not my fault in any way shape or form. You have been warned!
I don't actually have the Plesk firewall anywhere so I can't be more specific than this:
You'll see a list or various rules, with red, green or amber icons next to them.
After the various rules there will be one final rule, with a description that means something along the lines of "Policy for everything else". It will have a green icon. Click on the icon. It turns to red. You are now on deny everything by default.
BUT.....guess what? You then have a problem because passive FTP will stop working (passive ftp requires some ports to be open above 1024 -- which you just closed by switching the policy to deny all!).
So don't bother and just go the APF route. APF is smart and knows about FTP, and deals with such issues for you.
I don't honestly know the best way to installed apf when you have the plesk firewall installed first. I would say remove the plesk module (within the control panel - you can just switch it off or remove the module in the modules section [not the updater]-- again I don't remember in detail - have a look).
The install of apf is covered in howtos all over the web. Here's one: http://www.webhostgear.com/61.html
The key thing is to open the ports you want to allow the world to access via the IG_TCP_CPORTS and IG_UDP_CPORTS lines in /etc/apf/conf.apf.
The ports listed in the howto I linked to are of no use.
For a Plesk setup, something like this is better (again in /etc/apf/conf.apf):
IG_TCP_CPORTS="20,21,25,53,80,110,143,443,465,993,995,8443"
IG_UDP_CPORTS="53"
All the above ports will then be accessible to anyone, from any source.
Notice the distinct lack of port 22 (ssh) and 30000 (ASL)?
To open ports to a limited range of IPs, you use the /etc/apf/allow_hosts.rules file.
In here you might add a line like:
d=3310:s=aaa.bbb.ccc.ddd
where d=destination port (mysql in this case) and aaa.bbb.ccc.ddd is your DSL connection's static IP.
Or just add a line with your static IP and nothing else, which allows all ports from that IP.
The syntax can be found at the start of that file.
There's also an /etc/apf/deny_hosts.rules where you can add a list of IPs you want to block totally, one per line.
And in /etc/apf/conf.apf you'll find loads of things you can enable to download lists of bad IPs automatically.
Read through that configuration file. Don't change things you don't understand.
Some things I would suggest:
SET_REFRESH="0"
SET_TRIM="0"
By default, apf flushes (clears) all rules after 5 minutes and leaves your firewall down. This is to make sure you don't lock yourself out after installing for the first time.
Once you are sure all is well, edit /etc/apf/conf.apf and set DEVEL_MODE=0 instead of 1.
Don't forget to make the modification I mentioned in an earlier post to allow it to work with asl.
To load apf and its rules, use:
apf -s
To flush (clear) all rules, use
apf -f
Note that if you have a lot of filewall rules (e.g. a long deny list) it can take a long time to load.
********** IF YOU HAVE A VPS **********
1) Do not load loads of firewall rules. Not all rules may load (there is often a limit), including a vital deny all one at the end that you definitely dont want to miss off!
2) On Virtuozzo VPSes, set SET_MONOKERN=1
3) RAB probably won't work on a Virtuozzo VPS as the required kernel module isn't loaded. I've tried and failed on this.
As with all messing around, you are strongly encouraged to experiment on a non-live server before you begin, so that you can get a feel for how things work.
Remember that Microsoft's VirtualPC is free, and you can load the distro of your choice in it and play with APF there first. You can also load Plesk with the one-domain free key etc.
Microsoft's VirtualPC is not the best, but it is free, and sometimes nothing is better than free.
** Warning: All of the above was one of my usual BrainDumps with no checking to make sure I'm right about anything. Use at your own risk. If you fry your server or lock yourself out or get hacked or anything at all bad happens then it is your own fault for reading this, and not my fault in any way shape or form. You have been warned!