[Firehol-support] Re: block all unused ports

Daniel Pittman daniel at rimspace.net
Sat Feb 26 00:02:33 GMT 2005

On 26 Feb 2005, ibk at cyberverse.com wrote:
> I am using firehol 1.214-4 (Debian/Sarge, with packaged kernel
> 2.4.27-2-k7 for basic services on a self-manged server at an ISP)


> blacklist full ""

I don't think this line is doing what you think it is doing.

I suspect you mean to blacklist the network, etc, and if
that is so, you need to specify the network mask.  At the moment you
only block the (normally unused) first address in the class...


> We continually get hit hundreds of "requests" of the sort
> "sshd[21029]: Illegal user admin from
> sshd[21029]: Failed password for illegal user admin from
> port 48594 ssh2"
> from a variety of sources. 

You and everyone else in the world.  It is going around;  usual
recommendations are:

* turn off password auth entirely
* turn off root login via SSH (directly)
* move SSH to another port
* limit access to ssh (port 22) to a smaller source range

> Should we and if so, could we easily block these higher unused ports? 

Er, the port reported there is the *client* port, not the server port.
They are not unused - they are the area that get allocated (at random)
for the client side.

If you block them, you suddenly lose the ability to SSH to your server
which, I suspect, isn't what you want. ;)


> Also is there any book that we can buy/read that covers firehol and how
> it works etc.. with iptables - so as to get more understanding? 

One of the big advantages, to my mind, of firehol is that it *is*
iptables, pretty much, rather than some other abstract expression of
firewall rules that compiles to iptables.

Anyway, three things:

The O'Reilly book "Building Internet Firewalls", latest version, which
will give you a great grounding on building firewalls and, these days,
possibly even cover iptables itself.

Regardless, it tells you how to build firewalls, and gives hints about
how to translate that into the way your tool represents it.

'firehol explain' -- the most helpful tool in the world.  You run this,
then enter your firehol commands line by line.

Firehol shows you *exactly* what iptables rules it writes for that
command.  Then you know how your expressions translate into iptables
commands, without any wondering or anything.

Finally, 'iptables -vL' and any generic iptables documentation.

That way you can inspect the "finished product" and associate what
firehol built with what they recommend, or ask specific questions about
why it is different.


It may sound strange coming from a research man, but an attempt to get too
many facts will often leave you without any real knowledge at all.
        -- Ernest Dichter

More information about the Firehol-support mailing list