turn off http port 80, keep https port 443

[lothario]

With a fresh FC3 install, the system has both ports working:
port 80 = http://192.168.5.100
port 443 = https://192.168.5.100

How can I stop port 80 and
continue secure access on port 443 only?



Under Security Level Configuration, I un-checked WWW (HTTP)
But the system still responds to both:
http://192.168.5.100
https://192.168.5.100

[Void Main]

After unchecking www and reloading iptables you can still get to 80 from an outside machine? If so something is broken. At any rate, on machines I want ssl (https) traffic only on I like to also leave port 80 open but use a redirect in the apache config to automatically redirect anything coming in on 80 to 443:

Code:

RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^/(.*)$ https://%{SERVER_NAME}/$1 [L,R,NC]

Of course you can also just comment out the "Listen 80" line in your httpd.conf which will cause Apache to not open a socket on 80 at all, only on 443.

[lothario]

Ridirecting http to https is fine.
I am told that I can also comment out the port in the "httpd.conf" file.
These are good options to have.

I am concerned, how is port 80 traffic getting through.

[lothario]

I even reboot the system.

But the system still responds to:
http://192.168.5.100

Here is the "/etc/sysconfig/iptables"

Code:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

As you can see port 80 is no longer there.
But http traffic is still some how getting through to Apache.

[Void Main]

Quote:

Originally Posted by lothario

Ridirecting http to https is fine.
I am told that I can also comment out the port in the "httpd.conf" file.

Hmmm, I thought that is what I also suggested when I said that you can also comment out the "Listen 80" line.

Quote:

I am concerned, how is port 80 traffic getting through.

I don't understand what you mean here.

[Void Main]

Is that address on eth0? If so you are allowing everything on eth0 according to your iptables rules:

Quote:

-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

[lothario]

About commenting out port 80.
I am sorry - I got the same suggestions from someone else. I got confused.

[lothario]

Quote:

Is that address on eth0? If so you are allowing everything on eth0 according to your iptables rules:

Quote:

Yes, it is.
If I un-check eth0 under Security Level Configuration, what are the consequences of that?

[Void Main]

Quote:

Originally Posted by lothario

Yes, it is.
If I un-check eth0 under Security Level Configuration, what are the consequences of that?

The consequences of unchecking it would mean that your firewall will actually start acting like a firewall.

[awdac]

Quote:

Originally Posted by lothario

Yes, it is.
If I un-check eth0 under Security Level Configuration, what are the consequences of that?

You won't be letting every packet and its brother through your ethernet interface. Do it.

[lothario]

Ok. That was the culprit.
Thanks.

[lothario]

Un-checking eth0 does take care of it.
What is sit0 ?