NIS: enable firewall while open port

zaiwen

I am setting up NIS and would like to enable firewall while open port for NIS, but failed.

Here is what I have done.

1. start ypserv with -p option at startup to specify the port:
   /etc/init.d/ypserv start -p 1000

2. system-config-securitylevel to enable firewall. Specify 1000 as other ports
   1000:tcp,1000:udp

but then I can't logon from client side. If firewall is diabled, I can logon from client side.

What should I do to allow NIS port while enabling firewall?

Thanks!

kissingwolf

open firewall for portmap port !

yongjian

I would rather open ports from 1 to 1024 for 192.168.0.0/24 network.

zaiwen

en? "open ports from 1 to 1024 for 192.168.0.0/24 network"?

How to achieve this?
Is this allowed during the exam? I  thought the exam wants to test if you know how to open each for each services....If it is allowed, it is wonderful

zaiwen

I did more tests today. Here is a summary of my questions:

I do have portmap open in my previous test, but it still doesn't work.  I found out it is due to my way of starting ypserv.  I started ypserv like this:

     /etc/init.d/ypserv -p 1000

This command acutally doesn't start ypserv using port 1000. Instead it binds to a random port, which I found out by command
  
    rpcinfo -p localhost

Then if I add the result of ypserv's port from this list to my open port list, it works fine.   NIS can go through when firewall is enabled with only some ports open.

Here comes the question:

1. How to bind ypserv to a permanent port?  It seems there are two ways, but none works for me, but I guess the cause is the same: how to make ypserv take port portion during startup?

a.  /etc/init.d/ypserv -p portnumber

b. I googled and someone suggested edit /etc/init.d/ypserv and find the start) section and specify the -p option followed by the port you want to use.

    # See how we were called.
        case "$1" in
        start)
             start -p portnumber
              ;;

      
2. As yongjian suggested, "open ports from 1 to 1024 for 192.168.0.0/24 network"?  How to achieve this?  Is this allowed during the exam? I thought the exam wants to test if you know how to open each port for each services....If it is allowed, it is wonderful and save a lot of trouble

yongjian

1. I believe yp is one of the pormap programs so it will be controlled by pormap daemon, just like nfs. So portmap will randomly assign ports to them... (Correct me if I am wrong)
2.

1. iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 1:1024 -j ACCEPT

复制代码

Do this or not is up to you. I can't say if it is good for test or not...

zaiwen

So there is no way to assign ypserv a specific port? 55555

About open port, today I happened to do some tests about security and notice something very very very confusing that I would like to consult with u.

1. If I ENABLE firewall, don't add any trusted ports/devices or other ports, then use iptables to add rule to open ports, but it doesn't work.

   a. "iptables -F " to clean up everything.
   b. system-config-securitylevel, just enable firewall, nothing else.
   c. iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 23 -j ACCEPT
   d. service iptables save
   e. try to telnet from 192.168.x.x, but failed. ?????
  
But if I enable firewall and specify telnet as trusted port using the gui, it works fine. This sounds very weired...I thought it should behave the same no matter you use the gui or use iptables. Any clue?

2. If I DISABLE firewall, then use iptables to drop ports, it works fine.

   a. "iptables -F " to clean up everything.
   b. system-config-securitylevel, disable firewall.
   c. iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 23 -j DROP
   d. service iptables save
   e. try to telnet from 192.168.x.x, it can't, as expected.

It seems all my iptables only work when firewall is disabled. I thought iptables should add rules to your existing enabled firewall.  Am I wrong?

I haven't had chance to try your suggestion of open port 1-1024,  but it sounds very similar to my first test.  To open port 1-1024,  I need to enable firewall, right? (Disable firewall alone means all ports are already open    The only difference between my test and your suggestion is  that I only open one port 23 while you open all 1-1024.  If one doesn't work, can I expect all to work?     If I can't figure this out, does it mean I have to add all 1024 ports manully using the gui? hehe.....

Anyway I will try yours tomorrow, but maybe I can get more reply from you before I try......your expertise might save me hours of struggling in the darkness.

Again,  thanks a lot!!! I really appreciate all your reply.

yongjian

Post by zaiwen
So there is no way to assign ypserv a specific port? 55555

About open port, today I happened to do some tests about security and notice something very very very confusing that I would like to consult with u.

1. If I ENABLE firewall, don't add any trusted ports/devices or other ports, then use iptables to add rule to open ports, but it doesn't work.

   a. "iptables -F " to clean up everything.
   b. system-config-securitylevel, just enable firewall, nothing else.
   c. iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 23 -j ACCEPT
   d. service iptables save
   e. try to telnet from 192.168.x.x, but failed. ?????
  
But if I enable firewall and specify telnet as trusted port using the gui, it works fine. This sounds very weired...I thought it should behave the same no matter you use the gui or use iptables. Any clue?

2. If I DISABLE firewall, then use iptables to drop ports, it works fine.

   a. "iptables -F " to clean up everything.
   b. system-config-securitylevel, disable firewall.
   c. iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 23 -j DROP
   d. service iptables save
   e. try to telnet from 192.168.x.x, it can't, as expected.

It seems all my iptables only work when firewall is disabled. I thought iptables should add rules to your existing enabled firewall.  Am I wrong?

I haven't had chance to try your suggestion of open port 1-1024,  but it sounds very similar to my first test.  To open port 1-1024,  I need to enable firewall, right? (Disable firewall alone means all ports are already open    The only difference between my test and your suggestion is  that I only open one port 23 while you open all 1-1024.  If one doesn't work, can I expect all to work?     If I can't figure this out, does it mean I have to add all 1024 ports manully using the gui? hehe.....

Anyway I will try yours tomorrow, but maybe I can get more reply from you before I try......your expertise might save me hours of struggling in the darkness.

Again,  thanks a lot!!! I really appreciate all your reply.

why not try

1. 
   
2. iptables -nvxL
   

复制代码

and take a look when you enabled the firewall? (Tips: firewall rules policy is alway blocking everything at the last rule, so *APPEND* rules after that will just useless...