Closing ports in jail with ipfw

Ernie Luzar luzar722 at gmail.com
Fri Dec 16 01:56:31 UTC 2016 

marcel wrote:
> Le Thu, 15 Dec 2016 09:33:33 +0800,
> Ernie Luzar <luzar722 at gmail.com> a écrit :
> 
>> marcel wrote:
>>> Le Mon, 05 Dec 2016 08:31:19 +0800,
>>> Ernie Luzar <luzar722 at gmail.com> a écrit :
>>>   
>>>> marcel wrote:  
>>>>> Hi there,
>>>>>
>>>>> I've created a jail and when I do a nmap on his IP, I can see that
>>>>> port 25 and 22 are open but I don't want. So i've tried to create
>>>>> an IPFW rule by adding 'ipwf -q add 00290 deny all from router to
>>>>> jail' to my host ipfw conf file and applied it but ports jail are
>>>>> still open. How can I close or open the ports of my jail ?
>>>>>
>>>>> Thanks !    
>>>> You can not run nmap on the host targeting the jails ip. Doing so
>>>> only shows you open ports on the host. You have to run nmap from a
>>>> computer on a different public ip address targeting the public ip
>>>> address assigned to the jail. If jail is using a non-routeable ip
>>>> address, nmap is useless in looking for jail open ports.  
>>> Hi ! Sorry for silence, I was not able to answer. Yeah I understand,
>>> maybe netstat -an in jail is more useful ? When I do that I see
>>> port 25 and 514 are open but if I haven't looked yet what is this
>>> port 514 I imagine both of these ports are not closable (or it's
>>> not advised) isnt'it ? 
>>>   
>> On the host port 25 is sendmail and port 514 is syslog.
>>
>> https://www.grc.com/port_514.htm
>>
>> The syslog server opens port 514 and listens for incoming syslog
>> event notifications (carried by UDP protocol packets) generated by
>> remote syslog clients. Any number of client devices can be programmed
>> to send syslog event messages to whatever servers they choose.
>>
>> This defaults to off on clean install of Freebsd.
>> You must have a statement in your /ect/rc.conf file that enables it.
>>
>>
> 
> Okay thanks for clarifications for port 514.
> When you say "This defaults to off on clean install of Freebsd" you
> meant that this is the default on the default install but we can put it
> off on a clean modified freebsd install ?
> 

yes
In rc.conf   syslogd_flags="-ss"

More information about the freebsd-jail mailing list