IPFW block syslogd port

spring_64

Member


Messages: 79

Hi all,
I want to block syslogd port that can not listen from other hosts.

This is the rule I wrote:
ipfw -q add 1 reject tcp from any to any dst-port 514

Is it right?
 

ShelLuser

Son of Beastie

Reaction score: 1,669
Messages: 3,512

The syntax seems good on first sight, you can always check ipfw(8) to make sure.

Thing is though: why would you want to add this? There's no direct need on FreeBSD because the syslog daemon doesn't normally listen on any external ports. See also /etc/defaults/rc.conf, syslogd_flags in specific. By default -s is used, which means:
Code:
     -s      Operate in secure mode.  Do not log messages from remote
             machines.  If specified twice, no network socket will be opened
             at all, which also disables logging to remote machines.
See also syslogd(8).

There's also another concern: setting up a firewall by closing off specific ports is a pretty poor security design. After all: what happens when someone opens and abuses a port of their own? Usually that's also the kind of thing you want to prevent from happening with a firewall.

So instead of blocking specific ports set up the opposite: block everything and then open the port(s) you need to have available on your network.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 6,937
Messages: 28,884

Syslog uses UDP by default.

If you want to stop syslog from listening on the network, add to /etc/rc.conf:
Code:
syslogd_flags="-ss"
 
OP
OP
S

spring_64

Member


Messages: 79

I added this flag to syslog in /etc/rc.conf, but when I run `nmap` on port 514, it shows it. I want it rejected it. I don't know, maybe I shoul use pf instead of ipfw.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 6,937
Messages: 28,884

Maybe you should read the nmap(1) manual page and lookup what 'filtered' actually means and how it relates to a TCP or UDP scan.

Code:
       filtered
	   Nmap	cannot determine whether the port is open because packet
	   filtering prevents its probes from reaching the port. The filtering
	   could be from a dedicated firewall device, router rules, or
	   host-based firewall software. These ports frustrate attackers
	   because they	provide	so little information. Sometimes they respond
	   with	ICMP error messages such as type 3 code	13 (destination
	   unreachable:	communication administratively prohibited), but
	   filters that	simply drop probes without responding are far more
	   common. This	forces Nmap to retry several times just	in case	the
	   probe was dropped due to network congestion rather than filtering.
	   This	slows down the scan dramatically.
 
Top