Greetings. After the recent security incidents I am trying to increase the security of my computer by closing unnecessary ports from outside world. The only listening port in my system right now is port 631 (ipp), as "lsof -i | grep -i listen" reports: ************************************************************************ cupsd 2349 root 10u IPv4 37790 0t0 TCP *:ipp (LISTEN) cupsd 2349 root 11u IPv6 37791 0t0 TCP *:ipp (LISTEN) ************************************************************************ I tried disabling cups services, but then printing stopped working. So ok, I need a connection from my computer to port 631 for printing. But that port should be closed from all other computers. At the moment it is open to the outside world (10.13.3.247 is the address of my computer in LAN): ************************************************************************ [jarmo@localhost ~]$ nmap -sT 10.13.3.247 Nmap scan report for 10.13.3.247 Not shown: 999 closed ports PORT STATE SERVICE 631/tcp open ipp ************************************************************************ I tried to close the port using firewalld. But the port does not seem to be open, and firewall can not close it. I can freely take a telnet connection to the port. The first commands show that firewalld is running and iptables is not. ************************************************************************ [jarmo@localhost ~]$ systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Fri 2014-10-31 07:27:45 EET; 3h 58min ago [jarmo@localhost ~]$ systemctl status iptables.service iptables.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) [jarmo@localhost ~]$ firewall-cmd --state running [jarmo@localhost ~]$ firewall-cmd --get-active-zones public interfaces: em1 [jarmo@localhost ~]$ firewall-cmd --zone=public --list-ports [jarmo@localhost ~]$ firewall-cmd --zone=public --list-all public (default, active) interfaces: em1 sources: services: dhcpv6-client mdns ports: masquerade: no forward-ports: icmp-blocks: rich rules: [jarmo@localhost ~]$ firewall-cmd --zone=public --remove-port=631/tcp Warning: NOT_ENABLED: '631:tcp' not in 'public' [jarmo@localhost ~]$ nmap -sT 10.13.3.247 Nmap scan report for 10.13.3.247 Not shown: 999 closed ports PORT STATE SERVICE 631/tcp open ipp [jarmo@localhost ~]$ telnet 10.13.3.247 631 Trying 10.13.3.247... Connected to 10.13.3.247. Escape character is '^]'. ************************************************************************ So I must be doing something wrong. My questions are: 1. Have I diagnosed the situation correctly? Is port 631 really open to the outside world? 2. If port 631 is open, why can I not close it using firewalld? 3. What is the best way to deny connections to the port from any other computer than that of my own? Is it the approach I have taken now? Thank you for all your help in advance. Jarmo -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
