Forums

Resolved
0 votes
I think I have searched everything related, but I could not find it.

I have an external VPS running Clearos Standalone. I want to close port 81 because I can access the box with SSH or VPN.
In the firewall configuration webconfig port 81 is dimmed, so I can't change it there.
After deleting the rule in /etc/clearos/firewall.conf, the rule is created again.

Anyone has the trick?
Monday, December 16 2013, 10:57 PM
Share this post:
Responses (4)
  • Accepted Answer

    Tuesday, December 17 2013, 12:12 PM - #Permalink
    Resolved
    0 votes
    You can always add a custom rule which gets applied later in the firewall start up so takes precedence:
    iptables -I INPUT -p tcp --dport 81 -j DROP
    You may also want to restrict the rule to the LAN interface by adding "-i ethX" where ethX is your LAN interface.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 17 2013, 12:31 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick,

    Later (after I posted this question) I found this in /usr/clearos/apps/incoming_firewall/views/allow/summary.php:
    // Special case - don't allow users to lock themselves out of webconfig
    // - standalone mode
    // - remote

    if (($rule['protocol'] == Firewall::PROTOCOL_TCP) && ($rule['port'] == 81)
    && ($mode === Network::MODE_STANDALONE)) {
    $options['state'] = FALSE;
    } else {
    $options['state'] = TRUE;
    }


    My hope for an elegant solution through webconfig disappeared because this is hardcoded.

    Thanks again for your solution (why didn't I think of that) :( and I am going to try it.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 28 2022, 03:56 PM - #Permalink
    Resolved
    0 votes
    I apologise for starting this thread again, but if the webproxy service is enabled and activated, you must also close port 82 because there is the possibility of accessing the management access page via http.

    Ex. http://[EXTERNAL IP]:82/app/base/session/login/

    So you could modify the rule like this:

    $IPTABLES -I INPUT 1 -p tcp -i [interface] --match multiport --dports 81,82 -j DROP
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 28 2022, 04:36 PM - #Permalink
    Resolved
    0 votes
    Pasquale Mari wrote:

    I apologise for starting this thread again, but if the webproxy service is enabled and activated, you must also close port 82 because there is the possibility of accessing the management access page via http.

    Ex. http://[EXTERNAL IP]:82/app/base/session/login/

    So you could modify the rule like this:

    $IPTABLES -I INPUT 1 -p tcp -i [interface] --match multiport --dports 81,82 -j DROP
    But if you're running in the cloud, I would have thought you should be using Standalone mode and not "Standalone - no firewall", in which case port 82 is closed anyway, or have I missed something?
    The reply is currently minimized Show
Your Reply