5/11/03 Network Modification "LOOK"

Starting on Monday May 12th I will be making some security changes to our cisco firewall. We will only be allowing certain ports as well as protocols to enter the network. I am compiling the ACL with the other admins as well as psoft to get a current list of the ports to leave open, i.e. inbound as well as outbound, double-checking that I didn't miss any. I will be running the configuration tonight on my own cisco rack @ home to ensure capadibility. If however during the course of the modifications you notice that a certain port was missed you can email support@vortechhosting as we will be monitoring this throughout the upgrade if we missed one. As I will be at the console port during configuration, there should only be a momentary reload of the router as I save the config to flash.

Just submit the port as well as the service you need and i can fix it immediatly. i.e.

Examples:

port needed:22
Reason/Service:ssh

port needed:23
Reason/Service:telnet

[bfriended]

OK, I don't know what these ports are and what I should be checking. Please steer me in the right direction

I should have most of them covered, so really nothing for you to do. If you see a service not "co-operating" just submit a ticket . As soon as we implement this we will being doing port scans to check availabilty throughout the network and adjusting where necessary.

[MEELAN]

I am experiencing a problem with my FTP client. May be related to thise thread.
When I do FTP with ws_FTP pro (after establishing FTP sucessfully) it tries to open the connection using some other random port numbers like 4950, 4982 etc. But, since they are already "BLOCKED" connection fails.
It takes lt of time to completes the FTP commands and uploading due to this.
---------------
WINSOCK.DLL: WinSock 2.0
WS_FTP Pro 6.51T 2000.05.15, Copyright © 1992-2000 Ipswitch, Inc.
- -
connecting to 216.157.129.232:21
Connected to 216.157.129.232 port 21
220 ProFTPD 1.2.8 Server (Main FTP Server) [unix5.hsphere.cc]
USER <USER_NAME>
331 Password required for niroshav.
PASS (hidden)
230 User <USER_NAME> logged in.
PWD
257 "/" is current directory.
Host type (I): UNIX (standard)
PASV
227 Entering Passive Mode (216,157,129,232,19,86).
connecting to 216.157.129.232:4950
- -
connecting to 216.157.129.232:4950
! Connection failed 216.157.129.232 - error 10051
! connect: error 0
PORT 203,94,94,40,5,220
200 PORT command successful
LIST
150 Opening ASCII mode data connection for file list
Received 1084 bytes in 0.2 secs, (52.63 Kbps), transfer succeeded
226 Transfer complete.
PWD
257 "/" is current directory.
PASV
227 Entering Passive Mode (216,157,129,232,19,118).
connecting to 216.157.129.232:4982
- -
connecting to 216.157.129.232:4982
! Connection failed 216.157.129.232 - connection timed out
! connect: error 0
PORT 203,94,94,40,5,224
200 PORT command successful
LIST
150 Opening ASCII mode data connection for file list
Received 1084 bytes in 0.1 secs, (66.67 Kbps), transfer succeeded
226 Transfer complete.

--------------

PLEASE SEE THE ERRROR LINES ABOVE

Is there any others experiencing the same?

[Brangwyn]

Try turning off PASV mode, though if you have a NAT you may not be able to connect at all then.

I suspect your right about the slowdowns though being related to the port changes on the router, no doubt Alan will follow this up.

Just wondering which direction were the ports blocked alan ? outgoing ? (which I guess could cause this problem) or just incoming which may be all you probably need anyway unless you don't trust your internal network too well (which may be the case if you don't have full control of the segment I guess).

[payne]

port:10000 service:webmin - web aministration interface (VERY IMPORTANT)
port:9999 service:Urchin
port:21 service:ftp
port:22 service:ssh
port:22(UDP) service:ssh
port:25 service:smtp
port:53 service:dns
port:53(UDP) service:dns
port:79 service:finger
port:80 service:apache
port:8080 service:tomcat
port:110 serviceop3
port:110(UDP) serviceop3
port:119 service:news
port:123 service:nettime
port:143 service:imap2
port:160-161(UDP) service:snmp
port:194 service:irc
port:220 service:imap3
port:220(UDP) service:imap3
port:389 service:ldap
port:443 service:apache ssl
port:443(UDP) service:apache ssl
port:540 service:uucp
port:1220 service:darwin streaming server admin
port:2401 service:cvs
port:2401(UDP) service:cvs
port:554 service:darwin ss
port:3306 service:mysql
port:3306(udp) service:mysql
port:7070 service:darwin ss
port:6970-6999(UDP) service:darwin ss
port:8000 sercice:darwin ss

[payne]

damn smileys

[Brangwyn]

I didn't think pop3 used UDP at all.

[admin]

payne, are you a colo customer? If so just send a ticket to support@vortechhosting.com we can set these for your IP address of your server only or leave you wide open ether way..

SSL access to IMAP mailserver stopped working after 8am today!

IMAPv4 over SSL uses port 993

Will file a support ticket now.

[Wonderer]

Question and this firewall. Can i rightly assume that your using the PIX Series or better? If so i fail to see why passive ftp would be an issue as long as your utilizing SPI. While posting the config would be bad for obvious reasons, could you please verify if you are using SPI?

[MEELAN]

Brangwyn:
Turning off PASSIVE transfer helped me to get rid of the problem.
Thankz

[Brangwyn]

Glad that worked for you Lankan