Firewall Configuration: Difference between revisions

No edit summary
 
(Added Ubuntu single node)
 
(29 intermediate revisions by 10 users not shown)
Line 1: Line 1:
== Firewall Configuration ==
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Firewall Configuration=
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.   
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.   


Line 5: Line 10:
==== Standard Zimbra ports ====
==== Standard Zimbra ports ====


*SMTP
<table border cellspacing=0 cellpadding=5>
** port 25/tcp
<tr><td>SMTP</td><td>25</td><td>tcp</td><td>Public</td></tr>
*HTTP
<tr><td>HTTP</td><td>80</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr>
** port 80/tcp
<tr><td>POP3</td><td>110</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr>
*POP3  
<tr><td>IMAP</td><td>143</td><td>tcp </td><td>should probably be limited by a firewall to your local network only</td></tr>
** port 110/tcp
<tr><td>LDAP</td><td>389</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr>
*IMAP  
<tr><td>HTTPS</td><td>443</td><td>tcp</td><td>Public</td></tr>
** port 143/tcp
<tr><td>SMTPS</td><td>465</td><td>tcp</td><td>Public</td></tr>
*LDAP
<tr><td>SMTP Submission</td><td>587</td><td>tcp</td><td>Public</td></tr>
** port 389/tcp
<tr><td>IMAPS</td><td>993</td><td>tcp</td><td>Public</td></tr>
*HTTPS  
<tr><td>POP3S</td><td>995</td><td>tcp</td><td>Public</td></tr>
** port 443/tcp
<tr><td>(Admin Interface)</td><td>7071</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr>
*IMAPS  
<tr><td>SOAP Auth</td><td>7073</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr>
** port 993/tcp
<tr><td>LMTP</td><td>7025</td><td>tcp</td><td>should probably be limited by a firewall to your local network only</td></tr>
*POP3S
</table>
** port 995/tcp


==== Cluster Suite Ports ====
==== Cluster Suite Ports (EOL ZCS7)====
These would only be used on a zimbra cluster.
These would only be used on a zimbra cluster. ''All of these ports should be limited by a firewall to your local network only.''  Cluster support ended with ZCS7, so later versions of ZCS can ignore this.


*rgmanager
*rgmanager
Line 44: Line 48:
=== Example Configuration Files ===
=== Example Configuration Files ===
==== RedHat Advanced Server ====
==== RedHat Advanced Server ====
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp.  
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.


''/etc/sysconfig/iptables''
''/etc/sysconfig/iptables''
Line 60: Line 64:
  -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  # enable ssh and snmp
  # enable ssh and snmp
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24
  # enable zimbra ports
  # enable zimbra ports
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
Line 67: Line 71:
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24
  # enable cluster communications
  # enable cluster communications
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809  -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809  -j ACCEPT -s 10.10.3.0/24
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24
  # reject everything else
  # reject everything else
  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
  COMMIT
  COMMIT
add this rule after "ESTABLISHED,RELATED" rule
if your network has layer remote 2/3 devices (i mean bridges and/or mpls links) or is simply messy
<nowiki>
-A RH-Firewall-1-INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK RST,ACK -j ACCEPT
</nowiki>
insert this rules if you want binacle (logs!)  i assume that zimbra's
hosts don't deliver ips (dhcp server)
-A RH-Firewall-1-INPUT -i lo -j ACCEPT  #existing rule,only written for locating
-A RH-Firewall-1-INPUT -d 255.255.255.255 -j DROP
-A RH-Firewall-1-INPUT -d 10.10.3.255 -j DROP
-A RH-Firewall-1-INPUT -m multiport -p tcp --dports 67,68,135,137,138,139,445,631,1025 -j DROP
-A RH-Firewall-1-INPUT -m multiport -p udp --dports 67,68,135,137,138,139,445,631,1025 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #existing rule,only written for locating
----
-A RH-Firewall-1-INPUT -j LOG -m limit --limit 10/m  --log-prefix "DROP ON INPUT: " --log-tcp-options --log-ip-options --log-level INFO
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited #existing rule,only written for locating
COMMIT
==== Ubuntu ====
=====Single Node =====
Enter this at the command prompt where xxx.xxx.xxx.xxx/yy is your management subnet you wish to allow unfettered access.
ufw allow from xxx.xxx.xxx.xxx/yy
nano /etc/ufw/applications.d/zimbra
Now in the file that you just opened:
/etc/ufw/applications.d/zimbra
[Zimbra]
title=Zimbra Collaboration Server
description=Open source server for email, contacts, calendar, and more.
ports=25,80,110,143,443,465,587,993,995,3443,5222,5223,7071,9071/tcp
Now continue with:
ufw allow Zimbra
ufw enable
ufw status
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0|1/26/2007}}
[[Category:Configuration]]
[[Category:Installation]]
[[Category:Ports]]

Latest revision as of 13:53, 5 May 2018

Firewall Configuration

   KB 1875        Last updated on 2018-05-5  




0.00
(0 votes)

Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.

Needed Ports

Standard Zimbra ports

SMTP25tcpPublic
HTTP80tcpshould probably be limited by a firewall to your local network only
POP3110tcpshould probably be limited by a firewall to your local network only
IMAP143tcp should probably be limited by a firewall to your local network only
LDAP389tcpshould probably be limited by a firewall to your local network only
HTTPS443tcpPublic
SMTPS465tcpPublic
SMTP Submission587tcpPublic
IMAPS993tcpPublic
POP3S995tcpPublic
(Admin Interface)7071tcpshould probably be limited by a firewall to your local network only
SOAP Auth7073tcpshould probably be limited by a firewall to your local network only
LMTP7025tcpshould probably be limited by a firewall to your local network only

Cluster Suite Ports (EOL ZCS7)

These would only be used on a zimbra cluster. All of these ports should be limited by a firewall to your local network only. Cluster support ended with ZCS7, so later versions of ZCS can ignore this.

  • rgmanager
    • port 41966/tcp
    • port 41967/tcp
    • port 41968/tcp
    • port 41969/tcp
  • ccsd
    • port 50006/tcp
    • port 50007udp
    • port 50008/tcp
    • port 50009/tcp
  • dlm
    • port 21064/tcp
  • cman
    • port 6809/udp
  • gnbd
    • port 14567/tcp

Example Configuration Files

RedHat Advanced Server

The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.

/etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable ssh and snmp
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24
# enable zimbra ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24
# enable cluster communications
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809  -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24
# reject everything else
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


add this rule after "ESTABLISHED,RELATED" rule if your network has layer remote 2/3 devices (i mean bridges and/or mpls links) or is simply messy

-A RH-Firewall-1-INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK RST,ACK -j ACCEPT




insert this rules if you want binacle (logs!) i assume that zimbra's hosts don't deliver ips (dhcp server)


-A RH-Firewall-1-INPUT -i lo -j ACCEPT #existing rule,only written for locating

-A RH-Firewall-1-INPUT -d 255.255.255.255 -j DROP

-A RH-Firewall-1-INPUT -d 10.10.3.255 -j DROP

-A RH-Firewall-1-INPUT -m multiport -p tcp --dports 67,68,135,137,138,139,445,631,1025 -j DROP

-A RH-Firewall-1-INPUT -m multiport -p udp --dports 67,68,135,137,138,139,445,631,1025 -j DROP

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #existing rule,only written for locating




-A RH-Firewall-1-INPUT -j LOG -m limit --limit 10/m --log-prefix "DROP ON INPUT: " --log-tcp-options --log-ip-options --log-level INFO

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited #existing rule,only written for locating COMMIT

Ubuntu

Single Node

Enter this at the command prompt where xxx.xxx.xxx.xxx/yy is your management subnet you wish to allow unfettered access.

ufw allow from xxx.xxx.xxx.xxx/yy
nano /etc/ufw/applications.d/zimbra

Now in the file that you just opened: /etc/ufw/applications.d/zimbra

[Zimbra]

title=Zimbra Collaboration Server

description=Open source server for email, contacts, calendar, and more.

ports=25,80,110,143,443,465,587,993,995,3443,5222,5223,7071,9071/tcp


Now continue with:

ufw allow Zimbra
ufw enable
ufw status



Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 1/26/2007
Article ID: https://wiki.zimbra.com/index.php?title=Firewall_Configuration Date Modified: 2018-05-05



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search