Overview
There are many different firewalls that are installed by default on Linux systems (ipfw, apf, iptables). This article is designed to help you get the most out of your system firewall software when using cPanel and WHM.
cPanel and WHM install and manage a number of different services on your system. Many of these services require an outside connection to function properly. Therefore, holes in the firewall will need to be opened for the ports that these services are running on. Rather than providing a default set of ports for you to open, this article will provide a list of ports used by cPanel and WHM and the respective services they manage in order for you to be able to set up rules for your server. You should only open ports that you will definitely be using.
Ports
| Port | Service | TCP | UDP | Inbound | Outbound | Notes |
|---|---|---|---|---|---|---|
| 20 | FTP | X | X | X | SFTP over SSH is more secure than FTP | |
| 21 | FTP | X | X | X | X | |
| 22 | SSH | X | X | |||
| 25 | SMTP | X | X | X | ||
| 26 | SMTP | X | X | X | Port 26 is only used if designated in Service Manager in WHM | |
| 37 | rdate | X | X | |||
| 43 | whois | X | X | |||
| 53 | bind | X | X | X | X | Only if you run a public DNS server on the system |
| 80 | http | X | X | X | ||
| 110 | POP3 | X | X | |||
| 113 | ident | X | X | |||
| 143 | IMAP | X | X | |||
| 443 | https | X | X | HTTP over SSL | ||
| 465 | SMTP TLS/SSL | X | X | X | X | |
| 873 | rsync | X | X | X | ||
| 993 | IMAP SSL | X | X | |||
| 995 | POP3 SSL | X | X | |||
| 2078 | WebDAV | X | X | X | X | Used for Web Disks |
| 2083 | cPanel® | X | X | Insecure on port 2082 (not recommended) | ||
| 2087 | WHMTM | X | X | Insecure on port 2086 (not recommended) | ||
| 2089 | Licensing | X | X | Must be open to contact license server | ||
| 2096 | Webmail | X | X | Insecure on port 2095 (not recommended) | ||
| 3306 | MySQL® | X | X | Only for remote connections | ||
| 6666 | chat | X | X | Melange Chat Services |
Of the above ports, it is only recommended to use the SSL version of each service if possible (except for HTTP and HTTPS which both can be used). Using a non-SSL version of those services means that information (such as logins and passwords) is submitted in plain text across the net for attackers to potentially intercept. You can use the Manage Service Certificates feature in WHM (WHM >> SSL/TLS >> Manage Service Certificates) to ensure that your services have SSL certificates installed.
Example Configurations
The following examples are used to show how to add rules with APF, iptables, and ipfw. These examples will not provide a complete solution to your firewall rules as you should always use the set of rules that matches your services, not a default set of rules that you copy and paste.
IPFW
To enable IPFW on FreeBSD, you’ll need to ensure that the line firewall_enable=”YES” is present in /etc/rc.conf. The firewall_script variable should be set to the path of your firewall rules. You can check your rules at any time by running ipfw list.
Here’s a sample rule file allowing HTTP and HTTPS access to your system. Please note that it assumes you are using eth0 as your public interface.
############### start ############# # Delete all rules ipfw -q -f flush# primary public network interface pif="eth0″ # no need to type this each time cmd="ipfw -q add" #allow all traffic on loopback $cmd 00010 allow all from any to any via lo0 ####### outbound traffic ########## #allow packets that have already been allowed $cmd -q add 00015 check-state # Allow outbound HTTP $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state # Allow outbound HTTPS $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state ####### inbound traffic ########## # Allow inbound HTTP $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # deny and log all other traffic $cmd 00999 deny log all from any to any ################### End ############
For more information on IPFW, see the manual
APF
APF is basically a frontend for iptables that allows you to open or close ports easily without understanding iptables syntax. Here’s a sample of 2 rules to add to /etc/apf/conf.apf to allow HTTP and HTTPS access to your system:
# Common ingress (inbound) TCP ports IG_TCP_CPORTS="80,443″# Common egress (outbound) TCP ports EG_TCP_CPORTS="80″
For more information on APF, see the APF site.
iptables
While APF is simple to use, iptables offers more customization of your packet filtering rules. Iptables requires some knoeledge of the TCP/IP stack. Here’s an example of iptables rules for HTTP traffic on port 80. Please note that it assumes you have a DMZ set up on eth0 for 192.168.1.1 and a broadcast IP of 66.66.66.66
$IPTABLES -A FORWARD -p TCP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -j icmp_packets
For more information on iptables, see the iptables site or by typing man iptables from the command line.
What now?
From here, you’ll need to determine what firewall software to use and make sure you are familiar with its usage. Always remember to leave yourself a way back in when working with firewall rules so you don’t get locked out of your own server. A cron job that disables the firewall every 5 minutes is a simple way back in.
Other tools