Difference between revisions of "Firewall Configuration"

(Firewall Configuration)
(Standard Zimbra ports)
Line 6: Line 6:
  
 
<table border cellspacing=0 cellpadding=5>
 
<table border cellspacing=0 cellpadding=5>
<tr>
+
<tr><td>SMTP</td><td>25/tcp</td></tr>
<td>SMTP</td><td>25/tcp</td>
+
<tr><td>HTTP</td><td>80/tcp</td></tr>
<td>HTTP</td><td>80/tcp</td>
+
<tr><td>POP3</td><td>110/tcp</td></tr>
<td>POP3</td><td>110/tcp</td>
+
<tr><td>IMAP</td><td>143/tcp (''should probably be limited by a firewall to your local network only'')</td></tr>
<td>IMAP</td><td>143/tcp (''should probably be limited by a firewall to your local network only'')</td>
+
<tr><td>LDAP</td><td>389/tcp</td></tr>
<td>LDAP</td><td>389/tcp</td>
+
<tr><td>HTTPS</td><td>443/tcp</td></tr>
<td>HTTPS</td><td>443/tcp</td>
+
<tr><td>SMTPS</td><td>465/tcp</td></tr>
<td>SMTPS</td><td>465/tcp</td>
+
<tr><td>IMAPS</td><td>993/tcp</td></tr>
<td>IMAPS</td><td>993/tcp</td>
+
<tr><td>POP3S</td><td>995/tcp</td></tr>
<td>POP3S</td><td>995/tcp</td>
 
  
</tr>
 
 
</table>
 
</table>
  

Revision as of 03:56, 22 February 2010

Firewall Configuration

Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.

Needed Ports

Standard Zimbra ports

SMTP25/tcp
HTTP80/tcp
POP3110/tcp
IMAP143/tcp (should probably be limited by a firewall to your local network only)
LDAP389/tcp
HTTPS443/tcp
SMTPS465/tcp
IMAPS993/tcp
POP3S995/tcp


  • Admin Interface
    • port 7071/tcp should probably be limited by a firewall to your local network only
  • LMTP
    • port 7025/tcp should probably be limited by a firewall to your local network only

Cluster Suite Ports

These would only be used on a zimbra cluster. All of these ports should be limited by a firewall to your local network only.

  • rgmanager
    • port 41966/tcp
    • port 41967/tcp
    • port 41968/tcp
    • port 41969/tcp
  • ccsd
    • port 50006/tcp
    • port 50007udp
    • port 50008/tcp
    • port 50009/tcp
  • dlm
    • port 21064/tcp
  • cman
    • port 6809/udp
  • gnbd
    • port 14567/tcp

Example Configuration Files

RedHat Advanced Server

The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.

/etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable ssh and snmp
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24
# enable zimbra ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24
# enable cluster communications
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809  -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24
# reject everything else
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Verified Against: unknown Date Created: 1/26/2007
Article ID: https://wiki.zimbra.com/index.php?title=Firewall_Configuration Date Modified: 2010-02-22



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search