Firewall Configuration: Difference between revisions
(Added Ubuntu single node) |
|||
(21 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
== Firewall Configuration = | {{BC|Community Sandbox}} | ||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=Firewall Configuration= | |||
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}} | |||
{{WIP}} | |||
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall. | Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall. | ||
Line 6: | Line 11: | ||
<table border cellspacing=0 cellpadding=5> | <table border cellspacing=0 cellpadding=5> | ||
<tr> | <tr><td>SMTP</td><td>25</td><td>tcp</td><td>Public</td></tr> | ||
<td>SMTP</td><td>25/tcp</td> | <tr><td>HTTP</td><td>80</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr> | ||
<td>HTTP</td><td>80/tcp</td> | <tr><td>POP3</td><td>110</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr> | ||
<td>POP3</td><td>110/tcp</td> | <tr><td>IMAP</td><td>143</td><td>tcp </td><td>should probably be limited by a firewall to your local network only</td></tr> | ||
<td>IMAP</td><td>143/tcp | <tr><td>LDAP</td><td>389</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr> | ||
<td>LDAP</td><td>389/tcp</td> | <tr><td>HTTPS</td><td>443</td><td>tcp</td><td>Public</td></tr> | ||
<td>HTTPS</td><td>443/tcp</td> | <tr><td>SMTPS</td><td>465</td><td>tcp</td><td>Public</td></tr> | ||
<td>SMTPS</td><td>465/tcp</td> | <tr><td>SMTP Submission</td><td>587</td><td>tcp</td><td>Public</td></tr> | ||
<td>IMAPS</td><td>993/tcp</td> | <tr><td>IMAPS</td><td>993</td><td>tcp</td><td>Public</td></tr> | ||
<td>POP3S</td><td>995/tcp</td> | <tr><td>POP3S</td><td>995</td><td>tcp</td><td>Public</td></tr> | ||
<tr><td>(Admin Interface)</td><td>7071</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr> | |||
</tr> | <tr><td>SOAP Auth</td><td>7073</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr> | ||
<tr><td>LMTP</td><td>7025</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr> | |||
</table> | </table> | ||
==== Cluster Suite Ports (EOL ZCS7)==== | |||
These would only be used on a zimbra cluster. ''All of these ports should be limited by a firewall to your local network only.'' Cluster support ended with ZCS7, so later versions of ZCS can ignore this. | |||
==== Cluster Suite Ports ==== | |||
These would only be used on a zimbra cluster. ''All of these ports should be limited by a firewall to your local network only.'' | |||
*rgmanager | *rgmanager | ||
Line 95: | Line 94: | ||
{{Article Footer| | add this rule after "ESTABLISHED,RELATED" rule | ||
if your network has layer remote 2/3 devices (i mean bridges and/or mpls links) or is simply messy | |||
<nowiki> | |||
-A RH-Firewall-1-INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK RST,ACK -j ACCEPT | |||
</nowiki> | |||
insert this rules if you want binacle (logs!) i assume that zimbra's | |||
hosts don't deliver ips (dhcp server) | |||
-A RH-Firewall-1-INPUT -i lo -j ACCEPT #existing rule,only written for locating | |||
-A RH-Firewall-1-INPUT -d 255.255.255.255 -j DROP | |||
-A RH-Firewall-1-INPUT -d 10.10.3.255 -j DROP | |||
-A RH-Firewall-1-INPUT -m multiport -p tcp --dports 67,68,135,137,138,139,445,631,1025 -j DROP | |||
-A RH-Firewall-1-INPUT -m multiport -p udp --dports 67,68,135,137,138,139,445,631,1025 -j DROP | |||
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #existing rule,only written for locating | |||
---- | |||
-A RH-Firewall-1-INPUT -j LOG -m limit --limit 10/m --log-prefix "DROP ON INPUT: " --log-tcp-options --log-ip-options --log-level INFO | |||
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited #existing rule,only written for locating | |||
COMMIT | |||
==== Ubuntu ==== | |||
=====Single Node ===== | |||
Enter this at the command prompt where xxx.xxx.xxx.xxx/yy is your management subnet you wish to allow unfettered access. | |||
ufw allow from xxx.xxx.xxx.xxx/yy | |||
nano /etc/ufw/applications.d/zimbra | |||
Now in the file that you just opened: | |||
/etc/ufw/applications.d/zimbra | |||
[Zimbra] | |||
title=Zimbra Collaboration Server | |||
description=Open source server for email, contacts, calendar, and more. | |||
ports=25,80,110,143,443,465,587,993,995,3443,5222,5223,7071,9071/tcp | |||
Now continue with: | |||
ufw allow Zimbra | |||
ufw enable | |||
ufw status | |||
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0|1/26/2007}} | |||
[[Category:Configuration]] | [[Category:Configuration]] | ||
[[Category:Installation]] | [[Category:Installation]] | ||
[[Category:Ports]] | [[Category:Ports]] |
Latest revision as of 13:53, 5 May 2018
Firewall Configuration
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.
Needed Ports
Standard Zimbra ports
SMTP | 25 | tcp | Public |
HTTP | 80 | tcp | should probably be limited by a firewall to your local network only |
POP3 | 110 | tcp | should probably be limited by a firewall to your local network only |
IMAP | 143 | tcp | should probably be limited by a firewall to your local network only |
LDAP | 389 | tcp | should probably be limited by a firewall to your local network only |
HTTPS | 443 | tcp | Public |
SMTPS | 465 | tcp | Public |
SMTP Submission | 587 | tcp | Public |
IMAPS | 993 | tcp | Public |
POP3S | 995 | tcp | Public |
(Admin Interface) | 7071 | tcp | should probably be limited by a firewall to your local network only |
SOAP Auth | 7073 | tcp | should probably be limited by a firewall to your local network only |
LMTP | 7025 | tcp | should probably be limited by a firewall to your local network only |
Cluster Suite Ports (EOL ZCS7)
These would only be used on a zimbra cluster. All of these ports should be limited by a firewall to your local network only. Cluster support ended with ZCS7, so later versions of ZCS can ignore this.
- rgmanager
- port 41966/tcp
- port 41967/tcp
- port 41968/tcp
- port 41969/tcp
- ccsd
- port 50006/tcp
- port 50007udp
- port 50008/tcp
- port 50009/tcp
- dlm
- port 21064/tcp
- cman
- port 6809/udp
- gnbd
- port 14567/tcp
Example Configuration Files
RedHat Advanced Server
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.
/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # enable ssh and snmp -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24 # enable zimbra ports -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24 # enable cluster communications -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24 # reject everything else -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
add this rule after "ESTABLISHED,RELATED" rule
if your network has layer remote 2/3 devices (i mean bridges and/or mpls links) or is simply messy
-A RH-Firewall-1-INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK RST,ACK -j ACCEPT
insert this rules if you want binacle (logs!) i assume that zimbra's
hosts don't deliver ips (dhcp server)
-A RH-Firewall-1-INPUT -i lo -j ACCEPT #existing rule,only written for locating
-A RH-Firewall-1-INPUT -d 255.255.255.255 -j DROP
-A RH-Firewall-1-INPUT -d 10.10.3.255 -j DROP
-A RH-Firewall-1-INPUT -m multiport -p tcp --dports 67,68,135,137,138,139,445,631,1025 -j DROP
-A RH-Firewall-1-INPUT -m multiport -p udp --dports 67,68,135,137,138,139,445,631,1025 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #existing rule,only written for locating
-A RH-Firewall-1-INPUT -j LOG -m limit --limit 10/m --log-prefix "DROP ON INPUT: " --log-tcp-options --log-ip-options --log-level INFO
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited #existing rule,only written for locating COMMIT
Ubuntu
Single Node
Enter this at the command prompt where xxx.xxx.xxx.xxx/yy is your management subnet you wish to allow unfettered access.
ufw allow from xxx.xxx.xxx.xxx/yy nano /etc/ufw/applications.d/zimbra
Now in the file that you just opened: /etc/ufw/applications.d/zimbra
[Zimbra] title=Zimbra Collaboration Server description=Open source server for email, contacts, calendar, and more. ports=25,80,110,143,443,465,587,993,995,3443,5222,5223,7071,9071/tcp
Now continue with:
ufw allow Zimbra ufw enable ufw status