How to disable ssh from RED

Security Firewall Rules
21

Yesterday around 11 pm I noticed again that port 53 is open. I had SSH off. Otherwise, port 22 would probably also have been open. I also noticed that IPS was disabled again.
I had rebooted IPFire an hour or two before.
After reboot everything was normal again.

How can this be?

Is there a problem with IPFire under certain circumstances and no one but me has noticed it yet?

    iptables -L -n -v -t nat
    iptables -L -n -v -t raw
    route
    ifconfig
    netstat -tulpen

iptables -L -n -v -t nat:

Chain PREROUTING (policy ACCEPT 57184 packets, 3785K bytes)
pkts bytes target prot opt in out source destination
59611 3991K CUSTOMPREROUTING all – * * 0.0.0.0/0 0.0.0.0/0
59611 3991K CAPTIVE_PORTAL all – * * 0.0.0.0/0 0.0.0.0/0
59611 3991K SQUID all – * * 0.0.0.0/0 0.0.0.0/0
59590 3990K NAT_DESTINATION all – * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 5476 packets, 419K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4731 packets, 295K bytes)
pkts bytes target prot opt in out source destination
5480 340K NAT_DESTINATION all – * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 1072 packets, 71003 bytes)
pkts bytes target prot opt in out source destination
47887 3129K CUSTOMPOSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
47887 3129K OVPNNAT all – * * 0.0.0.0/0 0.0.0.0/0
47887 3129K IPSECNAT all – * * 0.0.0.0/0 0.0.0.0/0
47887 3129K NAT_SOURCE all – * * 0.0.0.0/0 0.0.0.0/0
47887 3129K NAT_DESTINATION_FIX all – * * 0.0.0.0/0 0.0.0.0/0
47887 3129K REDNAT all – * * 0.0.0.0/0 0.0.0.0/0

Chain CAPTIVE_PORTAL (1 references)
pkts bytes target prot opt in out source destination

Chain CUSTOMPOSTROUTING (1 references)
pkts bytes target prot opt in out source destination

Chain CUSTOMPREROUTING (1 references)
pkts bytes target prot opt in out source destination

Chain IPSECNAT (1 references)
pkts bytes target prot opt in out source destination

Chain NAT_DESTINATION (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp – * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:53 limit: avg 10/sec burst 20 LOG flags 0 level 4 prefix "DNAT "
0 0 REDIRECT tcp – * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:53
2009 169K LOG udp – * * 192.168.1.0/24 0.0.0.0/0 udp dpt:53 limit: avg 10/sec burst 20 LOG flags 0 level 4 prefix "DNAT "
2009 169K REDIRECT udp – * * 192.168.1.0/24 0.0.0.0/0 udp dpt:53

Chain NAT_DESTINATION_FIX (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1000000/0xf000000 to:192.168.1.1
0 0 SNAT all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000000/0xf000000 to:192.168.2.1
0 0 SNAT all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x4000000/0xf000000 to:192.168.50.1

Chain NAT_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain OVPNNAT (1 references)
pkts bytes target prot opt in out source destination

Chain REDNAT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – * red0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
46137 3017K MASQUERADE all – * red0 0.0.0.0/0 0.0.0.0/0

Chain SQUID (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp – green0 * 0.0.0.0/0 yy.yy.yy.yy tcp dpt:80
21 1344 REDIRECT tcp – green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
0 0 RETURN tcp – blue0 * 0.0.0.0/0 yy.yy.yy.yy tcp dpt:80
0 0 REDIRECT tcp – blue0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

iptables -L -n -v -t raw

Chain PREROUTING (policy ACCEPT 4265K packets, 5969M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1039K packets, 4583M bytes)
pkts bytes target prot opt in out source destination

route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 1002 0 0 red0
YY.YY.YY.0 0.0.0.0 255.255.255.0 U 1002 0 0 red0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 green0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 blue0
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 orange0

ifconfig

blue0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:67:2a:7a:7e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x91200000-9121ffff

green0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:67:2a:7a:7d txqueuelen 1000 (Ethernet)
RX packets 2153282 bytes 183168783 (174.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4195981 bytes 5826863231 (5.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x91100000-9111ffff

imq0: flags=195<UP,BROADCAST,RUNNING,NOARP> mtu 1500
ether 56:f4:ff:97:a6:b6 txqueuelen 32 (Ethernet)
RX packets 13250572 bytes 6512138154 (6.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13250572 bytes 6512138154 (6.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 46671 bytes 11990116 (11.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 46671 bytes 11990116 (11.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

orange0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.50.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:67:2a:7a:7f txqueuelen 1000 (Ethernet)
RX packets 278954 bytes 51278893 (48.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 312828 bytes 198013770 (188.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x91300000-9131ffff

red0: flags=67<UP,BROADCAST,RUNNING> mtu 1500
inet yy.yy.yy.yy netmask 255.255.255.0 broadcast YY.YY.YY.255
ether 00:e0:67:2a:7a:7c txqueuelen 1000 (Ethernet)
RX packets 15943212 bytes 6689500457 (6.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1084823 bytes 136145966 (129.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x91000000-9101ffff

netstat -tulpen

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 192.168.2.1:3128 0.0.0.0:* LISTEN 0 23793 3942/(squid-1)
tcp 0 0 127.0.0.1:800 0.0.0.0:* LISTEN 0 23794 3942/(squid-1)
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 0 19821 2128/unbound
tcp 0 0 192.168.1.1:3128 0.0.0.0:* LISTEN 0 23791 3942/(squid-1)
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 0 19819 2128/unbound
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 124906 3078/sshd: /usr/sbi
tcp 0 0 192.168.1.1:800 0.0.0.0:* LISTEN 0 23790 3942/(squid-1)
tcp 0 0 192.168.2.1:800 0.0.0.0:* LISTEN 0 23792 3942/(squid-1)
tcp6 0 0 :::81 :::* LISTEN 0 23962 4323/httpd
tcp6 0 0 :::444 :::* LISTEN 0 23966 4323/httpd
tcp6 0 0 :::1013 :::* LISTEN 0 23970 4323/httpd
udp 0 0 0.0.0.0:44527 0.0.0.0:* 23 23778 3942/(squid-1)
udp 0 0 0.0.0.0:53 0.0.0.0:* 0 19818 2128/unbound
udp 0 0 0.0.0.0:67 0.0.0.0:* 0 23505 4291/dhcpd
udp 0 0 yy.yy.yy.yy:68 0.0.0.0:* 0 24800 4031/dhcpcd: [netwo
udp 0 0 192.168.50.1:123 0.0.0.0:* 0 23476 4209/ntpd
udp 0 0 192.168.1.1:123 0.0.0.0:* 0 23474 4209/ntpd
udp 0 0 yy.yy.yy.yy:123 0.0.0.0:* 0 23472 4209/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 0 23470 4209/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 0 23465 4209/ntpd
udp 0 0 0.0.0.0:514 0.0.0.0:* 0 17951 2088/syslogd
udp6 0 0 :::123 :::* 0 23462 4209/ntpd

22

Port 53 (DNS) was open again. IPS was also switched off.
What is going on?

I’m afraid I have to use another firewall distribution (even though I like IPFire). Maybe I’ll also reinstall IPFire first.

23

I ran the Heise Security test and it checked my public ip. It reported back “Gratulation, der Test hat keine Probleme gefunden,” which means no problems found. My firewall is core 162, x86_64, ssh is open for 17 days now. I suggest you reinstall ipfire.

24

Thanks for feedback.
Normally, the Heise SecurityCheck also runs through like yours. But then all of a sudden I run the test and completely unexpectedly DNS port 53 is open (and sometimes the IPS is off). After restarting ipfire everything is OK again.

I will probably have to reinstall IPFire and then watch it further.

25

Hi,

thank you for that detailed post, and keeping track of the issue in general.

Could you post the output of iptables -L -n -v (without -t nat/raw) again once you discover these ports to be publicly reachable again?

Also, is there anything in the logs indicating why the IPS stopped? Which IPFire version are you running on? Are there any customisations made to this system?

Thanks, and best regards,
Peter Müller

26

Blockquote
Could you post the output of iptables -L -n -v (without -t nat/raw) again once you discover these ports to be publicly reachable again?

Yes!

Blockquote
Also, is there anything in the logs indicating why the IPS stopped?

No. But maybe I was looking in the wrong place. I’m not that deep into it (I’m very busy at work at the moment, which is why I don’t have much time). For that I need some instruction.

Which IPFire version are you running on?

IPFire 2.27 (x86_64) - Core Update 162
I have been using IPFire since last fall. Always have the latest version installed.

Are there any customisations made to this system?
No. I had played around with the script once: URL Filter and self updating blacklists? - #16 by mutley But it is currently uninstalled again and I had the problem before.

I still have a Pi-Hole running: Redirect all traffic from Green to PiHole - #13 by anon87475738

These packages are installed:

  • clamav
  • cpufrequtils
  • fireperf
  • iperf3
  • mcelog (see below)
  • nano
  • powertop (Not used, as it did not work in the last attempt. Have a CoreBoot FW, maybe that is the reason?)
  • speedtest-cli
  • squidclamav

Sometimes there are these errors.

“WARNING: Kernel Errors Present
mce: [Hardware Error]: Machine check …: 2 Time(s)”

I have not been able to figure out what this is. Ram?

Then there are error messages (kernel) about the QoS (but they have nothing to do with the above problem):

1 Time(s): Actions configured
1 Time(s): Performance counters on
1 Time(s): input device check on
1 Time(s): 8021q: 802.1Q VLAN Support v1.8
1 Time(s): 8021q: adding VLAN 0 to HW filter on device blue0
1 Time(s): 8021q: adding VLAN 0 to HW filter on device green0
1 Time(s): 8021q: adding VLAN 0 to HW filter on device orange0
1 Time(s): 8021q: adding VLAN 0 to HW filter on device red0
1 Time(s): Adding 1048572k swap on /dev/sda3. Priority:1 extents:1 across:1048572k SSFS
1 Time(s): GACT probability on
1 Time(s): HTB: quantum of class 10001 is big. Consider r2q change.
1 Time(s): HTB: quantum of class 10110 is small. Consider r2q change.
1 Time(s): HTB: quantum of class 10120 is small. Consider r2q change.
1 Time(s): HTB: quantum of class 20001 is big. Consider r2q change.
1 Time(s): HTB: quantum of class 20200 is big. Consider r2q change.
1 Time(s): HTB: quantum of class 20203 is big. Consider r2q change.
1 Time(s): HTB: quantum of class 20204 is big. Consider r2q change.
1 Time(s): HTB: quantum of class 20210 is small. Consider r2q change.
1 Time(s): HTB: quantum of class 20220 is small. Consider r2q change.
1 Time(s): Kernel log daemon terminating.
1 Time(s): Kernel logging (proc) stopped.
1 Time(s): Mirror/redirect action on
1 Time(s): cfg80211: Loaded X.509 cert ‘sforshee: 00b28ddf47aef9cea7’
1 Time(s): cfg80211: Loading compiled-in X.509 certificates for regulatory database
1 Time(s): htb: too many events!
1 Time(s): igb 0000:01:00.0 red0: igb: red0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
1 Time(s): igb 0000:02:00.0 green0: igb: green0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
1 Time(s): igb 0000:04:00.0 orange0: igb: orange0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
1 Time(s): perf: interrupt took too long (2548 > 2500), lowering kernel.perf_event_max_sample_rate to 78000
1 Time(s): perf: interrupt took too long (3236 > 3185), lowering kernel.perf_event_max_sample_rate to 61000
1 Time(s): perf: interrupt took too long (4064 > 4045), lowering kernel.perf_event_max_sample_rate to 49000
1 Time(s): perf: interrupt took too long (5540 > 5080), lowering kernel.perf_event_max_sample_rate to 36000
1 Time(s): perf: interrupt took too long (6957 > 6925), lowering kernel.perf_event_max_sample_rate to 28000
1 Time(s): u32 classifier
1 Time(s): xt_geoip: loading out-of-tree module taints kernel.

That was from yesterday. Today there is much less so far.

In Orange there is an Edgerouter running OpenWRT and doing DHCP and DNS. With this I bypassed the limitations of IPFIre 2.x, because I wanted to completely separate the two computers that are in orange from my others.
This is just for information.

27

Again.

iptables -L -n -v -t nat

Chain PREROUTING (policy ACCEPT 5 packets, 415 bytes)
pkts bytes target prot opt in out source destination
18242 1727K CUSTOMPREROUTING all – * * 0.0.0.0/0 0.0.0.0/0
18242 1727K CAPTIVE_PORTAL all – * * 0.0.0.0/0 0.0.0.0/0
18242 1727K SQUID all – * * 0.0.0.0/0 0.0.0.0/0
18183 1723K NAT_DESTINATION all – * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5407 335K NAT_DESTINATION all – * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12752 1168K CUSTOMPOSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
12752 1168K OVPNNAT all – * * 0.0.0.0/0 0.0.0.0/0
12752 1168K IPSECNAT all – * * 0.0.0.0/0 0.0.0.0/0
12752 1168K NAT_SOURCE all – * * 0.0.0.0/0 0.0.0.0/0
12752 1168K NAT_DESTINATION_FIX all – * * 0.0.0.0/0 0.0.0.0/0
12752 1168K REDNAT all – * * 0.0.0.0/0 0.0.0.0/0

Chain CAPTIVE_PORTAL (1 references)
pkts bytes target prot opt in out source destination

Chain CUSTOMPOSTROUTING (1 references)
pkts bytes target prot opt in out source destination

Chain CUSTOMPREROUTING (1 references)
pkts bytes target prot opt in out source destination

Chain IPSECNAT (1 references)
pkts bytes target prot opt in out source destination

Chain NAT_DESTINATION (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp – * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:53 limit: avg 10/sec burst 20 LOG flags 0 level 4 prefix "DNAT "
0 0 REDIRECT tcp – * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:53
0 0 LOG udp – * * 192.168.1.0/24 0.0.0.0/0 udp dpt:53 limit: avg 10/sec burst 20 LOG flags 0 level 4 prefix "DNAT "
0 0 REDIRECT udp – * * 192.168.1.0/24 0.0.0.0/0 udp dpt:53

Chain NAT_DESTINATION_FIX (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1000000/0xf000000 to:192.168.1.1
0 0 SNAT all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000000/0xf000000 to:192.168.2.1
0 0 SNAT all – * * 0.0.0.0/0 0.0.0.0/0 mark match 0x4000000/0xf000000 to:192.168.50.1

Chain NAT_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain OVPNNAT (1 references)
pkts bytes target prot opt in out source destination

Chain REDNAT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all – * red0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
11340 1076K MASQUERADE all – * red0 0.0.0.0/0 0.0.0.0/0

Chain SQUID (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp – green0 * 0.0.0.0/0 95.88.160.23 tcp dpt:80
59 3776 REDIRECT tcp – green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
0 0 RETURN tcp – blue0 * 0.0.0.0/0 95.88.160.23 tcp dpt:80
0 0 REDIRECT tcp – blue0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

———————

iptables -L -n -v -t raw

Chain PREROUTING (policy ACCEPT 5132K packets, 5667M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 598K packets, 1107M bytes)
pkts bytes target prot opt in out source destination

—————

route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 green0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 blue0
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 orange0

———

ifconfig

blue0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:67:2a:7a:7e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x91200000-9121ffff

green0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:67:2a:7a:7d txqueuelen 1000 (Ethernet)
RX packets 989289 bytes 93710152 (89.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3238553 bytes 4533201680 (4.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x91100000-9111ffff

imq0: flags=195<UP,BROADCAST,RUNNING,NOARP> mtu 1500
ether 6a:d9:bf:40:d3:5d txqueuelen 32 (Ethernet)
RX packets 8574082 bytes 5525621206 (5.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8574082 bytes 5525621206 (5.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 156825 bytes 365904915 (348.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 156825 bytes 365904915 (348.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

orange0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.50.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 00:e0:67:2a:7a:7f txqueuelen 1000 (Ethernet)
RX packets 187591 bytes 37627578 (35.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 306013 bytes 332869593 (317.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x91300000-9131ffff

red0: flags=3<UP,BROADCAST> mtu 1500
ether 00:e0:67:2a:7a:7c txqueuelen 1000 (Ethernet)
RX packets 8578919 bytes 5526762659 (5.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1071218 bytes 123486893 (117.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x91000000-9101ffff

netstat -tulpen

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 192.168.2.1:3128 0.0.0.0:* LISTEN 0 23933 3489/(squid-1)
tcp 0 0 192.168.1.1:3128 0.0.0.0:* LISTEN 0 23931 3489/(squid-1)
tcp 0 0 192.168.1.1:800 0.0.0.0:* LISTEN 0 23930 3489/(squid-1)
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 0 18652 2137/unbound
tcp 0 0 127.0.0.1:800 0.0.0.0:* LISTEN 0 23934 3489/(squid-1)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 79817 21339/sshd: /usr/sb
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 0 18650 2137/unbound
tcp 0 0 192.168.2.1:800 0.0.0.0:* LISTEN 0 23932 3489/(squid-1)
tcp6 0 0 :::444 :::* LISTEN 0 25652 3871/httpd
tcp6 0 0 :::81 :::* LISTEN 0 25648 3871/httpd
tcp6 0 0 :::1013 :::* LISTEN 0 25656 3871/httpd
udp 0 0 0.0.0.0:52030 0.0.0.0:* 23 23921 3489/(squid-1)
udp 0 0 0.0.0.0:53 0.0.0.0:* 0 18649 2137/unbound
udp 0 0 0.0.0.0:67 0.0.0.0:* 0 25610 3844/dhcpd
udp 0 0 192.168.50.1:123 0.0.0.0:* 0 24729 3764/ntpd
udp 0 0 192.168.1.1:123 0.0.0.0:* 0 24727 3764/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 0 24723 3764/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 0 24718 3764/ntpd
udp 0 0 0.0.0.0:514 0.0.0.0:* 0 17963 2097/syslogd
udp6 0 0 :::123 :::* 0 24715 3764/ntpd exx.xx.xxx.xx

28

Unfortunately, I overlooked this post. Now I have rebooted and the problem is away (till next time).

I thought the problem is finally gone (with one of the latest update). But earlier I noticed that IPS was off (and other services). In the Heise test DNS was open (ssh I had disabled; otherwise probably ssh would have been open too).

Unfortunately I have little time and depend on internet. Will soon try a complete reinstallation with IPFire. If this happens again, I will have to say goodbye to IPFire.

29

Hi,

frankly, I find this attitude disappointing:

Without sufficient information, “assuming” a problem would be gone is not helping anybody. Neither is the lack of willingness to provide the missing information, but instead you go into threatening.

This is not how support works here, and I am no longer willing to spend my time on your issue.

EDIT / NOTICE TO OTHER READERS: Should this issue (or a similar looking one) affect you, please open a new thread, answering all of the following questions:

  • What does your IPFire setup look like (if possible, draw a simple diagram of it)?
  • How is IPFire’s RED interface connected to the internet?
  • Which IPFire version are you running on?
  • Are there any 3rd party scripts or modifications to IPFire in place? If so, which ones?
  • What (vulnerability) scanner did you use to spot the issue? What did it display precisely?
  • On IPFire, what is the output of iptables -L -n -v?
  • On IPFire, what is the output of ifconfig?
  • What does your firewall ruleset look like (screenshot of it)?
  • When did the problem occur? Is it reproducible? If so, which steps are needed to be taken?

In order to have a chance to help you, it is important for us to have all these information available. Simply opening a new thread saying “scanner X detected Y open ports on my IP address” will accomplish nothing.

Regards,
Peter Müller

2 Likes