Firewall the internet

[meesterfox]

Dear people,

I'm new here.

that said, I just installed zimbra on a server hosted with serverpronto.com. I had spent 3 days trying to get ISPconfig working and just gave up. Zimbra works great and I'm actually a little uneasy about how easy it was.

Anyway, so this is sitting on the internet. two IP's, both public facing. (one is the ns1 for dns, and the other is the ns2. not ideal, but it's a start.)

I'd like to put a firewall up (currently running without one, eek!) but not sure what ports to worry about, or what some might recommend for a firewall, and so forth. Want to lock it down, but not sure how to go about it.

Aside from zimbra, I've got webmin and use this server to also handle DNS.


I've done some searches but nothing turned up that was helpful.

sysinfo: FC5, 512MB ram, 40GB HD, 2 WAN IP's, new mint flavor.

[martinfst]

You can use 'netstat -l' or 'netstat -ln' to find on which ports processes are listening. You should keep those port open.

For firewalls on Linux there's iptables, which can be configured manually of with the help of different tools like Shorewall, Arno's Firewall, etc. Search for Linux firewall and you'll find plenty examples.

[phoenix]

The ports that Zimbra uses are listed here on the wiki: Ports It really depends on what you want to access from the outside world, as far as Zimbra is concerned you'll need port 25 open and something that will allow you to get your email so probably 993 for IMAPS and/or 443 for https web client (you'll need to change Zimbra to use SSL).

[meesterfox]

ah! perfect. I didn't come across that port list in my searches.

When you say change zimbra to use SSL, doesn't it use SSL for administration? or are you refering to using it for access the mail?

And martin, I'm aware of linux and firewalls, but this is my first time dealing with a server on the internet that I don't have physical access to or anything, so I'm being cautious as I'd hate to firewall myself out. Knowing me, I'd probably end up doing that! So, I didn't know if anyone had any preference such as shorewall versus iptables or anything like that, or if they know of a good web front end to one (aside from webmin). I'm just trying to get some input before I start chopping away in an attempt to secure my box.

[martinfst]

Locking yourself out is something that has to happen to everyone once i guess

FYI: I'm setting up a new box with Zimbra in a VM including Shorewall myself currently, but still working on a "perfect" iptables setup. And it's not my top priority right now, so don't ask for an example right now
I'm testing the shorewall rules 1st on a local dev box before running them on a production box in the datacenter.

[meesterfox]

Well If I DO lock myself out, I have no idea how I'll get back in. Which.... would be bad. I've MAINLY done work behind NAT routers and setup portforwarding and everything that way.

looking at the list of ports that zimbra uses, which ones actually need to be open? for example: lmtp? or mysql? since they're local, wouldn't I be ok to block them? Ldap as well...

Obviously Pop, IMAP, http/https need to be open, but I'm just not sure ALL those ports need to be open to either IP address.

[phoenix]

Quote:

Originally Posted by meesterfox

ah! perfect. I didn't come across that port list in my searches.

When you say change zimbra to use SSL, doesn't it use SSL for administration? or are you refering to using it for access the mail?

Yes, it uses ssl for admin but by default it only uses http for mail, you need to change it for getting webmail via https. The only ports you need open for Zimbra are the ones I've mentioned above.

[meesterfox]

Ok, to clarify that would mean port 25 and port 993 for IMAPS are the only ports in my firewall I would need to open? (assuming i use IMAPS to access my mail)

[martinfst]

That's for Zimbra (test, test, test ...)
And don't forget 22 for ssh ....

[meesterfox]

Pssh, who needs SSH? I use telnet for everything!

Ok, thanks. Looks like it'll be less ports I need to have open than I thought.