Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Question about ports & UFW

  1. #1
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Question about ports & UFW

    I'll start of by saying: I'm far from any networking wiz, which I think my question will show you.

    In this scenario I've started an SSH session to an offsite server (from now on "Server") from a pc (from now on "Client"). The client have the following UFW rules:
    Code:
    sudo ufw status verbose
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    53,137,138/udp             ALLOW OUT   Anywhere
    20,21,22,80,443,1863,8001/tcp ALLOW OUT   Anywhere
    5222/tcp                   ALLOW OUT   Anywhere
    465                        ALLOW OUT   Anywhere
    993                        ALLOW OUT   Anywhere
    51413                      ALLOW OUT   Anywhere
    Anywhere                   DENY OUT    Anywhere
    53,137,138/udp             ALLOW OUT   Anywhere (v6)
    20,21,22,80,443,1863,8001/tcp ALLOW OUT   Anywhere (v6)
    5222/tcp                   ALLOW OUT   Anywhere (v6)
    465                        ALLOW OUT   Anywhere (v6)
    993                        ALLOW OUT   Anywhere (v6)
    51413                      ALLOW OUT   Anywhere (v6)
    Anywhere (v6)              DENY OUT    Anywhere (v6)
    and the server has the following iptables:
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    From the client, with an open ssh connection, netstat display's:
    Code:
    sudo netstat -tupan
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      966/cupsd       
    tcp       38      0 cl.ie.nt.ip:54637      91.189.89.105:443       CLOSE_WAIT  3226/gvfsd-http 
    tcp       38      0 cl.ie.nt.ip:54578      91.189.89.105:443       CLOSE_WAIT  3226/gvfsd-http 
    tcp        1      0 cl.ie.nt.ip:47751      91.189.89.106:80        CLOSE_WAIT  3226/gvfsd-http 
    tcp        1      0 cl.ie.nt.ip:54389      91.189.89.31:80         CLOSE_WAIT  3226/gvfsd-http 
    tcp        0      0 cl.ie.nt.ip:51013      se.rv.er.ip:22        ESTABLISHED 10057/ssh       
    tcp       38      0 cl.ie.nt.ip:54657      91.189.89.105:443       CLOSE_WAIT  3226/gvfsd-http 
    tcp        1      0 cl.ie.nt.ip:47678      91.189.89.106:80        CLOSE_WAIT  3226/gvfsd-http 
    tcp        1      0 cl.ie.nt.ip:47737      91.189.89.106:80        CLOSE_WAIT  3226/gvfsd-http 
    tcp6       0      0 ::1:631                 :::*                    LISTEN      966/cupsd       
    udp        0      0 0.0.0.0:36433           0.0.0.0:*                           938/avahi-daemon: r
    udp        0      0 0.0.0.0:68              0.0.0.0:*                           1457/dhclient   
    udp        0      0 0.0.0.0:5353            0.0.0.0:*                           938/avahi-daemon: r
    udp6       0      0 :::43563                :::*                                938/avahi-daemon: r
    udp6       0      0 :::5353                 :::*                                938/avahi-daemon: r
    And from the server, netstat prints:
    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
    tcp        0     48 se.rv.er.ip:22        cl.ie.nt.ip:51013      ESTABLISHED
    tcp6       0      0 :::22                   :::*                    LISTEN
    Now, the boring stuff's over.

    My question is about the client's UFW rules.
    1) Is there any reason for the clients port 22 to be open? From what I understand, the client connect out of port 51013 to the server at port 22. This would mean that IF the client didn't have "allow outgoing" it would need to have an "allow in 51013" or else the clients own firewall would block the connection?

    2) The clients "allow outgoing" would that mean that any connection that is initiated by the client itself would be allowed, and "deny "incomming" would mean that any connection that originates from outside the client would be rejected (besides the exeptions which is created by the other rules) ?

    3) Why is it called "allow outgoing" when the rules that have to be created have to be "allow out"? Isn't all outgoing connections allowed?

    Please, if i left something out, tell me and I'll add it ASAP.

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    1) Port 22 isn't open on the client. It's connecting to port 22 on the server via a random high number port (which is normal)
    2) Correct
    3) No idea. It looks like it's set that way by default so that you don't lock it out if you change the default rules.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Isn't port 22 open on the client? The second line in the UFW code should have port 22 mentioned with tcp? Doesn't that mean it's open?

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Quote Originally Posted by MadsRC View Post
    Isn't port 22 open on the client? The second line in the UFW code should have port 22 mentioned with tcp? Doesn't that mean it's open?
    This line?

    Code:
    20,21,22,80,443,1863,8001/tcp ALLOW OUT   Anywhere
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Yes, doesn't that line state that the ports listed, including 22, should be open for TCP connection via those ports?

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Only outbound connections. Incoming connections are still blocked.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    So, basicly, if you wanted someone to be able to SSH into the client, you would have to open port 22 (if using SSH over port 22) for incomming connections (connections that originated from outside the client). Would that rule be called "22/tcp allow in" or 22/tcp allow out"?

  8. #8
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Something like that, yeah.

    You'd also need openssh-server installed on the client.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #9
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Then should there be any reason for the second line in UFW to contain the nr. 22, thus opening inbound connections through port 22, when the client should not be able to SSH'ed into (Only be able to SSH out, but that has nothing to do with port 22 on the clientside) ?

  10. #10
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    There isn't anything being allowed in. The default policy is to deny all incoming and there are no rules to allow traffic to a port.

    Rule #2 is referring to outbound connections, not incoming ones.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •