On 10/31/14 17:34, Jarmo Hurri wrote: > Greetings. > > After the recent security incidents I am trying to increase the security > of my computer by closing unnecessary ports from outside world. > > The only listening port in my system right now is port 631 (ipp), as > "lsof -i | grep -i listen" reports: > > ************************************************************************ > cupsd 2349 root 10u IPv4 37790 0t0 TCP *:ipp (LISTEN) > cupsd 2349 root 11u IPv6 37791 0t0 TCP *:ipp (LISTEN) > ************************************************************************ > > I tried disabling cups services, but then printing stopped working. > > So ok, I need a connection from my computer to port 631 for > printing. But that port should be closed from all other computers. At > the moment it is open to the outside world (10.13.3.247 is the address > of my computer in LAN): > > ************************************************************************ > [jarmo@localhost ~]$ nmap -sT 10.13.3.247 > Nmap scan report for 10.13.3.247 > Not shown: 999 closed ports > PORT STATE SERVICE > 631/tcp open ipp > ************************************************************************ > > I tried to close the port using firewalld. But the port does not seem to > be open, and firewall can not close it. I can freely take a telnet > connection to the port. The first commands show that firewalld is > running and iptables is not. > > ************************************************************************ > [jarmo@localhost ~]$ systemctl status firewalld.service > firewalld.service - firewalld - dynamic firewall daemon > Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) > Active: active (running) since Fri 2014-10-31 07:27:45 EET; 3h 58min ago > > [jarmo@localhost ~]$ systemctl status iptables.service > iptables.service > Loaded: not-found (Reason: No such file or directory) > Active: inactive (dead) > > [jarmo@localhost ~]$ firewall-cmd --state > running > > [jarmo@localhost ~]$ firewall-cmd --get-active-zones > public > interfaces: em1 > > [jarmo@localhost ~]$ firewall-cmd --zone=public --list-ports > > [jarmo@localhost ~]$ firewall-cmd --zone=public --list-all > public (default, active) > interfaces: em1 > sources: > services: dhcpv6-client mdns > ports: > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > [jarmo@localhost ~]$ firewall-cmd --zone=public --remove-port=631/tcp > Warning: NOT_ENABLED: '631:tcp' not in 'public' > > [jarmo@localhost ~]$ nmap -sT 10.13.3.247 > Nmap scan report for 10.13.3.247 > Not shown: 999 closed ports > PORT STATE SERVICE > 631/tcp open ipp > > [jarmo@localhost ~]$ telnet 10.13.3.247 631 > Trying 10.13.3.247... > Connected to 10.13.3.247. > Escape character is '^]'. > ************************************************************************ > > So I must be doing something wrong. My questions are: > > 1. Have I diagnosed the situation correctly? Is port 631 really open to > the outside world? > > 2. If port 631 is open, why can I not close it using firewalld? > > 3. What is the best way to deny connections to the port from any other > computer than that of my own? Is it the approach I have taken now? > > Thank you for all your help in advance. >
There is more than one way to achieve your goal. Also, you may have a configuration issue with your network interface making things "obscure". First off, cupsd 2349 root 10u IPv4 37790 0t0 TCP *:ipp (LISTEN) Does indicate that it is listening on all interfaces. You can prevent this by editing your /etc/cups/cupsd.conf to contain the line.... Listen localhost:631 Which will result in cupsd 2377 root 11u IPv4 29156 0t0 TCP localhost:ipp (LISTEN) If you do only that, the port will remain "open" but nobody outside of your system will be able to communicate. Next, please note that iptables.service is different from and separate to firewalld.service. So, forget about it. Also, you can use firewall-config to manage basic firewalld setting from a GUI. To close the port you'd uncheck "ipp" .... kind of obvious. Now, the kicker is that there are multiple zones and you should check to ensure your network interface is tied to the zone you are changing. Hope that helps.... -- If you can't laugh at yourself, others will gladly oblige. -- users mailing list [email protected] To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
