Results 1 to 15 of 15

Thread: Firewall issue

  1. #1
    Join Date
    Dec 2003
    Posts
    228

    Question Firewall issue

    Hello,

    I am running FC2 with cPanel & APF.

    Whenever I start the firewall, I cannot log into webmail or the webhost manager. When I stop the firewall, everything works fine.

    I have the following ports open:

    IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,6666,7786,3000_3500"
    IG_UDP_CPORTS="21,53,465,873,6277"
    IG_ICMP_TYPES="3,5,11,0,30,8"

    EG_TCP_CPORTS="21,25,37,43,53,80,110,113,443,465,873,2089,3306"
    EG_TCP_CPORTS="20,21,53,465,873,6277"
    EG_ICMP_TYPES="all"

    Any thoughts on what might be happening?

    Thanks.

  2. #2
    Join Date
    Oct 2004
    Posts
    133
    It seems to me that the FW blocks the WHM/Cpanel/Webmail ports, though they are opened.
    If you wish you can install a cgi proxy which allows WHM/Cpanel/Webmail to be accessed only from port 80.
    You can find the cgi proxy here
    If you do this, remember to change your password after the install.

  3. #3
    Join Date
    Dec 2003
    Posts
    228
    Originally posted by Arny
    It seems to me that the FW blocks the WHM/Cpanel/Webmail ports, though they are opened
    That's what's weird. What's the point of opening the ports if their going to be blocked anyway?? I don't like the idea of using a proxy...

    I even tried to remove APF and re-install but the problem persists.

    Am I missing something here?

    Thanks.

  4. #4
    Join Date
    Oct 2003
    Location
    Long Island, New York
    Posts
    220
    This looks correct.. tail -f your /var/log/messages and see what it says when you try to get to WHM. Perhaps that may give you some clues.

    Here is my firewall setting:
    IG_TCP_CPORTS="21,22,25,26,80,110,143,443,465,993,995,2082_2083,2086_2087,2095_2096,50000_50200"
    EG_TCP_CPORTS="20,21,22,25,37,53,43,80,113,443,465,873,2087,2089"

    Note my DNS server is not on this machine,
    IG_UDP_CPORTS=""
    EG_UDP_CPORTS="20,21,53"
    TWSites.com - Business Web Hosting Solutions & Server Management Since 2003

  5. #5
    Join Date
    Dec 2003
    Posts
    228
    Originally posted by DoCk
    This looks correct.. tail -f your /var/log/messages and see what it says when you try to get to WHM. Perhaps that may give you some clues.

    Here is my firewall setting:
    IG_TCP_CPORTS="21,22,25,26,80,110,143,443,465,993,995,2082_2083,2086_2087,2095_2096,50000_50200"
    EG_TCP_CPORTS="20,21,22,25,37,53,43,80,113,443,465,873,2087,2089"

    Note my DNS server is not on this machine,
    IG_UDP_CPORTS=""
    EG_UDP_CPORTS="20,21,53"

    Ouch. I did tail -f /var/log/messages, started APF and got a continuous flow of the following error messages:

    May 11 13:37:13 [machine] kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=[ip] DST=[ip] LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=1558 DF PROTO=UDP SPT=53 DPT=53 LEN=97

    May 11 13:37:13 [machine] named[4801]: client [ip#53]: error sending response: host unreachable

    Of course, when I stop APF everything goes back to normal.

    Any thoughts??

  6. #6
    Join Date
    Oct 2003
    Location
    Long Island, New York
    Posts
    220
    Make sure you have port 53 enabled for egress UDP
    TWSites.com - Business Web Hosting Solutions & Server Management Since 2003

  7. #7
    Join Date
    Oct 2004
    Posts
    133
    The idea for the proxy is to solve a part of the problem
    In other cases it is useful when you are at work and the officee FW block certain prots, like the Webmail port (2096).

  8. #8
    Join Date
    Dec 2003
    Posts
    228
    Originally posted by DoCk
    Make sure you have port 53 enabled for egress UDP
    My setup (with the ports in question bolded):

    IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,6666,7786,3000_3500"
    IG_UDP_CPORTS="21,53,465,873,6277"
    IG_ICMP_TYPES="3,5,11,0,30,8"

    EG_TCP_CPORTS="21,25,37,43,53,80,110,113,443,465,873,2089,3306"
    EG_TCP_CPORTS="20,21,53,465,873,6277"
    EG_ICMP_TYPES="all"

    Is there another way to open that port??

  9. #9
    Join Date
    Dec 2003
    Posts
    228
    Damn! Thanks.

    You just made me realize that I wrote EG_TCP_CPORTS twice!

    EG_TCP_CPORTS="21,25,37,43,53,80,110,113,443,465,873,2089,3306"
    EG_TCP_CPORTS="20,21,53,465,873,6277" <-- SHOULD BE EG_UDP_CPORTS

    Been looking at the computer tooooooooooooooooooo long.

    Thanks again.

  10. #10
    Join Date
    Oct 2003
    Location
    Long Island, New York
    Posts
    220
    Well that's good then...
    TWSites.com - Business Web Hosting Solutions & Server Management Since 2003

  11. #11
    Join Date
    Dec 2003
    Posts
    228
    Originally posted by DoCk
    Well that's good then...
    Another question... Is it normal for the kernel to be dropping a lot of packets? My /var/log/messages is getting filled with the following output:

    May 11 15:30:51 matrix kernel: ** IN_UDP DROP ** IN=eth0 OUT= MAC=00:02:b3:e8:25:37:00:0f:34:6d:77:00:08:00 SRC=[remote-ip] DST=[local-ip] LEN=505 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=47303 DPT=1027 LEN=485

    Thanks again.

  12. #12
    Join Date
    Oct 2003
    Location
    Long Island, New York
    Posts
    220
    Yes it is quite normal. My server has dropped about 53,000 packets in the last two days alone... you'll be hit with all sorts of stuff, that's what the firewall is there for.
    TWSites.com - Business Web Hosting Solutions & Server Management Since 2003

  13. #13
    Join Date
    Dec 2003
    Posts
    228
    Originally posted by DoCk
    Yes it is quite normal. My server has dropped about 53,000 packets in the last two days alone... you'll be hit with all sorts of stuff, that's what the firewall is there for.
    Thanks. I guess I should add the remote ip's to the deny list.

  14. #14
    Join Date
    Oct 2003
    Location
    Long Island, New York
    Posts
    220
    You could, but manually adding all of these is a huge waste of time. Don't worry too much about it too much, just let the firewall do its thing.
    TWSites.com - Business Web Hosting Solutions & Server Management Since 2003

  15. #15
    Join Date
    Dec 2003
    Posts
    228
    Originally posted by DoCk
    You could, but manually adding all of these is a huge waste of time. Don't worry too much about it too much, just let the firewall do its thing.
    You're most likely right.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •