Firewall Configuration: Difference between revisions

Line 18: Line 18:
<tr><td>HTTPS</td><td>443</td><td>tcp</td><td></td></tr>
<tr><td>HTTPS</td><td>443</td><td>tcp</td><td></td></tr>
<tr><td>SMTPS</td><td>465</td><td>tcp</td><td></td></tr>
<tr><td>SMTPS</td><td>465</td><td>tcp</td><td></td></tr>
<tr><td>SMTP Submission</td><td>587</td><td>tcp</td><td></td></tr>
<tr><td>IMAPS</td><td>993</td><td>tcp</td><td></td></tr>
<tr><td>IMAPS</td><td>993</td><td>tcp</td><td></td></tr>
<tr><td>POP3S</td><td>995</td><td>tcp</td><td></td></tr>
<tr><td>POP3S</td><td>995</td><td>tcp</td><td></td></tr>

Revision as of 18:01, 12 February 2016

Firewall Configuration

   KB 1875        Last updated on 2016-02-12  




0.00
(0 votes)

Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.

Needed Ports

Standard Zimbra ports

SMTP25tcp
HTTP80tcpshould probably be limited by a firewall to your local network only
POP3110tcpshould probably be limited by a firewall to your local network only
IMAP143tcp should probably be limited by a firewall to your local network only
LDAP389tcpshould probably be limited by a firewall to your local network only
HTTPS443tcp
SMTPS465tcp
SMTP Submission587tcp
IMAPS993tcp
POP3S995tcp
(Admin Interface)7071tcpshould probably be limited by a firewall to your local network only
LMTP7025tcpshould probably be limited by a firewall to your local network only

Cluster Suite Ports

These would only be used on a zimbra cluster. All of these ports should be limited by a firewall to your local network only.

  • rgmanager
    • port 41966/tcp
    • port 41967/tcp
    • port 41968/tcp
    • port 41969/tcp
  • ccsd
    • port 50006/tcp
    • port 50007udp
    • port 50008/tcp
    • port 50009/tcp
  • dlm
    • port 21064/tcp
  • cman
    • port 6809/udp
  • gnbd
    • port 14567/tcp

Example Configuration Files

RedHat Advanced Server

The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.

/etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable ssh and snmp
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24
# enable zimbra ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24
# enable cluster communications
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809  -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24
# reject everything else
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


add this rule after "ESTABLISHED,RELATED" rule if your network has layer remote 2/3 devices (i mean bridges and/or mpls links) or is simply messy

-A RH-Firewall-1-INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK RST,ACK -j ACCEPT




insert this rules if you want binacle (logs!) i assume that zimbra's hosts don't deliver ips (dhcp server)


-A RH-Firewall-1-INPUT -i lo -j ACCEPT #existing rule,only written for locating

-A RH-Firewall-1-INPUT -d 255.255.255.255 -j DROP

-A RH-Firewall-1-INPUT -d 10.10.3.255 -j DROP

-A RH-Firewall-1-INPUT -m multiport -p tcp --dports 67,68,135,137,138,139,445,631,1025 -j DROP

-A RH-Firewall-1-INPUT -m multiport -p udp --dports 67,68,135,137,138,139,445,631,1025 -j DROP

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #existing rule,only written for locating




-A RH-Firewall-1-INPUT -j LOG -m limit --limit 10/m --log-prefix "DROP ON INPUT: " --log-tcp-options --log-ip-options --log-level INFO

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited #existing rule,only written for locating COMMIT


Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 1/26/2007
Article ID: https://wiki.zimbra.com/index.php?title=Firewall_Configuration Date Modified: 2016-02-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search