Hello there,
as I shared my recent upgrade to leap 15.5 on a mailing list someone pointed out to me that I should use the firewall to redirect ports below 1024 to ports above it and have the services not run as root but as regular user. I want to follow this advice as I see it as good security.
I also searched for this topic, but all I found was one topic from 2020 about some issues forwarding within a lan with a “known issue” about the final hop doesn’t see the forwarding one and hence breaks the reply path.
Specific my question is this:
I want to run my mail server not as root but as regular user. For this I want to move the smtp port from 25 to 8025 and have the firewall “translate” between the external port 25 and the internal 8025.
Reason: I once got hacked by the Log4J issue as I ran my mail server as root.
Unfortunate the available documentation doesn’t give a hint how to do that.
Can somebody help me with this one?
Thanks in advance.
@cryptearth if it’s external then that would be done at your router to forward non-standard port x to standard port x. What you describe is not necessary on the mail host… if it’s postfix the pickup and queue manager are already running as user postfix…
It seems you have misunderstood, so let me explain it better:
I run leap 15.5 on a bare metal dedicated root server hosted at OVH directly connected to the internet - so there’s not “private home lan router from my isp which offers such feature” (as it seems you think I try to do this on a home-lab server behind a nat-router - which is not the case).
Also I use Apache James - which is written in Java and doesn’t know the concept of “privileg dropping” so it has to be started as root when bound to ports below 1024.
Now I want to use firewall-cmd to reroute incomming traffic on the public eth0 25/tcp to some other port above 1024 so I can start James as a regular user instead of root to limit the risk.
I’m not sure if the right term is forward or redirect or reroute as to me they seem to mean the same but as I learned from the mentioned post they’re actually all something different.
I read that, at least back then, there was a “well known issue” that when using “forwarding” it’s only that: to forward the incomming packets without modify - so the endpoint doesn’t see the packets were forwarded and hence try to reply wrongly - which completely breaks something (in the mentioned topic the OP tried to forward a connection within a lan from A to C via B - and by using “–add-forward” C will only see the packets came from A but not that they were routet thru B so C tries to reply to A directly instead of back over B).
So I would have the problem that when the firewall only “forwards” the packets from 25/tcp to say 8025/tcp james would try to reply from 8025/tcp instead of have it “translated back by the firewall from 8025 to 25”.
So maybe the correct term here would be “re-route” - but only local instead of “off to a 2nd pc inside the lan”?
I’m not quite sure if it’s a problem with the question - as the other OP also seemed to struggle to convey thier question - or if the community seem to “decide to not understand it” (reference to Futurama) - as the other OP was asked: “why do you want to do this” - well, although it was for testing a more appropriate reply to this type of question would had been: “because I want to and should be able to”.
Maybe I should re-phrase it this way: In my eyes a firewall is not just “block unwanted incomming traffic” - but also to act as some security gate able to inspect and modify packets (yes, this comes down to the integral part of the underlying packet-filter). So the firewall should be able to take an incoming packet on public-ip tcp-port 25 and “modify” it in a way that it gets “delievered” to the server socket listening on tcp-port 8025 - and in such a way that when the reply packet is send back this “transformation” is reversed so the source-port of the reply packet correctly is 25 instead of 8025.
Why I want to do this? Because I use a mail server which doesn’t understand the concept of dropping its own privileges after binding to a privileged port so I either have to start it as root so it can bind to tcp/25 - or use the firewall as a “translation” (like local nat?) so I can start the server as a regular user by using port 8025 instead.
And NO - recommending “use sendmail or postfix or exim” is NOT a “valid” reply - why? because I tried - and although I followed good tutorials I wasn’t able to set it up correctly and securely so I can’t take advantages of these packages. Also: In the spirit of Linux: because I want to use something different in a different way and now I need help to configure the packet-filter to help me to achieve this goal.
(sorry for drifting towards a kind of rant - but sometimes when I read such replies I have to ask myself: Am I just too stupid to convey my actual question as english isn’t my primary language - or are people just too stubborn to not accept that others want to do something different than 60 year old unix admins did it for the past 40 years?)
@cryptearth OK, in the first case I would look at creating a james user and group with nologin and just use the normal port 25?
If changing then you probably want to change port 8025 as this is already a registered service port?
fgrep 8025 /etc/services
ca-audit-da 8025/tcp # CA Audit Distribution Agent [Henning_Smith]
ca-audit-da 8025/udp # CA Audit Distribution Agent [Henning_Smith]
You can also use setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary to allow access to ports lower than 1024, or if using a systemd service to start (recommended), then can add AmbientCapabilities=CAP_NET_BIND_SERVICE into your service file…
Then there is iptables -t nat -A PREROUTING -p tcp --dport 25 -j REDIRECT --to-ports 8025
man firewall-cmd and search for --add-forward-port.
Sorry for late reply - work was hard the past weeks.
Creating its own user:group and set nologin doesn’t seem to help against the Log4J vulnerability: Using an insecure version I still was able to get a reverse shell - and from there by privilege escalation root access.
setcap is not an option as it works on a per-executable basis - not on a per-process basis: When I set it for java for the James process it also gets set for every other java process - which is not what I want.
iptables only returns a not found - so no option for that local-nat pre-routing
As for --add-forward-port: I run into the exact issue as the mentioned other thread: Java sees the incomming SYN packet - but when it tries to reply with the SYN+ACK the forwarding from 25 to 8025 doesn’t get reverse so the SYN+ACK reply is send back to the remote from 8025 - not from 25. It appears that “forwarding” is either broken or intented to be used in a different way as the port “translation” is not reverse for reply packets.
I sure would rather use a native binary which has the ability to drop privileges after bound to the ports - and with some simple proof-of-concept c++ code I was able to implement it myself - but Java doesn’t support this.
I do not understand what it means. When you are talking about computers, copy and paste the actual full command invocation with complete output.
We are supposed to magically guess what the other thread is?
There is no factual information. Describe your environment, your network topology, show the packet path, provide network capture that demonstrates “incorrect” packets - then someone may be able to suggest something.