Firewall Configuration: Difference between revisions
(→Standard Zimbra ports: port 7025 needs to be open for LMTP) |
|||
Line 5: | Line 5: | ||
==== Standard Zimbra ports ==== | ==== Standard Zimbra ports ==== | ||
<table border cellspacing=0 cellpadding=5> | |||
<tr> | |||
<td>SMTP</td><td>25/tcp</td> | |||
<td>HTTP</td><td>80/tcp</td> | |||
<td>POP3</td><td>110/tcp</td> | |||
<td>IMAP</td><td>143/tcp (''should probably be limited by a firewall to your local network only'')</td> | |||
<td>LDAP</td><td>389/tcp</td> | |||
<td>HTTPS</td><td>443/tcp</td> | |||
<td>SMTPS</td><td>465/tcp</td> | |||
<td>IMAPS</td><td>993/tcp</td> | |||
<td>POP3S</td><td>995/tcp</td> | |||
</tr> | |||
</table> | |||
*Admin Interface | *Admin Interface | ||
** port 7071/tcp ''should probably be limited by a firewall to your local network only'' | ** port 7071/tcp ''should probably be limited by a firewall to your local network only'' |
Revision as of 03:56, 22 February 2010
Firewall Configuration
Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.
Needed Ports
Standard Zimbra ports
SMTP | 25/tcp | HTTP | 80/tcp | POP3 | 110/tcp | IMAP | 143/tcp (should probably be limited by a firewall to your local network only) | LDAP | 389/tcp | HTTPS | 443/tcp | SMTPS | 465/tcp | IMAPS | 993/tcp | POP3S | 995/tcp |
- Admin Interface
- port 7071/tcp should probably be limited by a firewall to your local network only
- LMTP
- port 7025/tcp should probably be limited by a firewall to your local network only
Cluster Suite Ports
These would only be used on a zimbra cluster. All of these ports should be limited by a firewall to your local network only.
- rgmanager
- port 41966/tcp
- port 41967/tcp
- port 41968/tcp
- port 41969/tcp
- ccsd
- port 50006/tcp
- port 50007udp
- port 50008/tcp
- port 50009/tcp
- dlm
- port 21064/tcp
- cman
- port 6809/udp
- gnbd
- port 14567/tcp
Example Configuration Files
RedHat Advanced Server
The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.
/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # enable ssh and snmp -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24 # enable zimbra ports -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24 # enable cluster communications -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809 -j ACCEPT -s 10.10.3.0/24 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24 # reject everything else -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT