Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: how to manage firewall

  1. #1
    Join Date
    Sep 2013
    Beans
    110

    how to manage firewall

    I want to set up my firewall to start with by allowing all outgoing, but block all incoming.

    However, I *think* I have applications installed that require ports to be open for some incoming.

    I'd rather not just wait to see what doesn't work to find that out. How can I go about determining which ports each application is designed to depend on being open?

    Also - When installing a new application, how can I know which ports it may depend on being open?

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,023
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: how to manage firewall

    When installing a new application, how can I know which ports it may depend on being open?
    Read about it - check the documantation, google for it perhaps. That's the only way to know before you install it what an app will do.
    How can I go about determining which ports each application is designed to depend on being open?
    You can tell what ports an application is listening on once it is running by looking to see what ports it actually has open. This command will list all listenoing ports:
    Code:
    sudo ss -lntup

  3. #3
    Join Date
    Sep 2013
    Beans
    110

    Re: how to manage firewall

    Thanks for the reply, I appreciate it.

    I ran the command you suggested.

    I think I'm going to have to throw in the towel, and just give up on firewall security in Linux.

    I had about four screens full of ports that I'd have to open up. (Yes, all the applications I could recognize running were things that should be running.)

    I didn't even have all applications running; and, I know enough to realize that many applications can choose from among several ports. This firewall management just seems far too onerous for the common user. I don't want to spend all my time the next few weeks playing whack-a-mole - "whack-a-port"? - constantly trying to chase down additional ports I didn't realize needed to be opened up for a commonly used application.

    Add on top of that your advice that, when installing a new application, I would need to do internet research to figure out the ports it might need.... Now I'm afraid that I'd be moving from the computer existing for me, to me existing for the computer.

    I am not being critical of you, I appreciate hearing the truth - even if it is an unpleasant truth.

    Unless someone can explain how there'd be an easier way to approach this?????

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    15,129
    Distro
    Kubuntu 20.04 Focal Fossa

    Re: how to manage firewall

    Install nmap.

    Code:
    sudo apt install nmap
    Now scan the localhost port on your machine and see what ports nmap reports as open.

    Code:
    sudo nmap localhost
    You need to run nmap with sudo to do most scans beyond simply pinging the hosts on your network.

    If your server also has a public facing IP address, you can run an nmap scan against it from here:
    https://hackertarget.com/nmap-online-port-scanner/

    Show us one or both lists inside of [code][/code] tags, and we'll go from there.
    Last edited by SeijiSensei; 4 Weeks Ago at 07:05 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Sep 2013
    Beans
    110

    Re: how to manage firewall

    Thanks for your help. I post the results here. But.... Now I'm confused, this list is FAR shorter than the list produced by the ss -lntup command......

    Code:
    Starting Nmap 7.60 ( https://nmap.org ) at 2020-07-10 14:13 CDTNmap scan report for localhost (127.0.0.1)
    Host is up (0.000017s latency).
    Not shown: 982 closed ports
    PORT      STATE SERVICE
    53/tcp    open  domain
    80/tcp    open  http
    111/tcp   open  rpcbind
    139/tcp   open  netbios-ssn
    443/tcp   open  https
    445/tcp   open  microsoft-ds
    631/tcp   open  ipp
    1025/tcp  open  NFS-or-IIS
    1042/tcp  open  afrog
    2049/tcp  open  nfs
    3689/tcp  open  rendezvous
    5054/tcp  open  rlm-admin
    5900/tcp  open  vnc
    8000/tcp  open  http-alt
    8080/tcp  open  http-proxy
    8085/tcp  open  unknown
    9050/tcp  open  tor-socks
    10000/tcp open  snet-sensor-mgmt
    
    
    Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds

  6. #6
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,576
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: how to manage firewall

    The way i attack this depends on the risk level for each system and the network it sit on.
    For a desktop, I’ll start with:
    • allow all outbound
    • allow inbound from the LAN
    • block inbound from the WAN


    From that point, I’ll tighten as needed. Things like outbound email can only be sent to 2 servers - my email server and 1 external provider.

    My router only allows a few ports inbound and directs those to specific systems with static ips. Nothing on a client computer can change the router. I’ve never allowed UPnP to dynamically open ports on the router. UPnP has always been a terrible idea. The inbound ports allowed are a few ssh and openvpn connections and some website and email to my web and email server systems. if you don't run those things, block all inbound.

    No need for whack-a-port for 99.9995% of end-users.

  7. #7
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    15,129
    Distro
    Kubuntu 20.04 Focal Fossa

    Re: how to manage firewall

    Quote Originally Posted by goodstuff9 View Post
    Thanks for your help. I post the results here. But.... Now I'm confused, this list is FAR shorter than the list produced by the ss -lntup command......

    Code:
    Starting Nmap 7.60 ( https://nmap.org ) at 2020-07-10 14:13 CDTNmap scan report for localhost (127.0.0.1)
    Host is up (0.000017s latency).
    Not shown: 982 closed ports
    PORT      STATE SERVICE
    53/tcp    open  domain
    80/tcp    open  http
    111/tcp   open  rpcbind
    139/tcp   open  netbios-ssn
    443/tcp   open  https
    445/tcp   open  microsoft-ds
    631/tcp   open  ipp
    1025/tcp  open  NFS-or-IIS
    1042/tcp  open  afrog
    2049/tcp  open  nfs
    3689/tcp  open  rendezvous
    5054/tcp  open  rlm-admin
    5900/tcp  open  vnc
    8000/tcp  open  http-alt
    8080/tcp  open  http-proxy
    8085/tcp  open  unknown
    9050/tcp  open  tor-socks
    10000/tcp open  snet-sensor-mgmt
    
    
    Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds
    Whatever the results of that other command, those are the TCP ports that are open on your machine. You only get TCP services from the basic nmap command. To see if you have UDP listeners, run

    Code:
    sudo nmap -sU localhost
    nmap only scans about 1500 commonly used ports by default. If you want to be comprehensive, run

    Code:
    sudo nmap -p 1-65535 -sT localhost
    for a TCP scan of every one of the 65,535 available ports. This can take a while so running it overnight makes sense.



    If you don't have any publicly-facing interface, then I'd just move on. Otherwise you need to determine why all those services are running on your machine, whether they are in fact needed, and whether they are used by other people connecting to this machine.
    Last edited by SeijiSensei; 4 Weeks Ago at 01:59 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  8. #8
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,576
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: how to manage firewall

    Below, I'll be getting into the weeds. Ignore if you don't want to worry about this stuff.

    OTOH, if you want to understand networking, there are a few episodes of the Security Now! podcast where they explain "how the internet works" - which is really how IPv4 networking works. Start with Episode 25. I don't recall if they did them back to back or skipped a week; 25, 27, 29. Google will find that podcast pretty easily. Then go into the archives. They have human-transcribed the voices, if that works better for you. The hosts do a bunch of extra chatting well outside the topic, which can drive people crazy.

    Computers use lots of methods to talk between different programs running on the same machine. Because of the way Unix is designed, often using an internal-only network connection is the easiest. The ss command ran above probably showed all the connections, including the connections that are just the machine talking to itself on a private network connection.

    There are some of those that use the public network connections too, so that some programs can talk both locally or to other partner systems on the network. Filtering out those local-only connections is easy. On one of my systems:
    Code:
    $ sudo netstat -tulpn |grep LISTEN|grep -v 127
    tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      31537/smbd      
    tcp        0      0 0.0.0.0:5906            0.0.0.0:*               LISTEN      19489/qemu-system-x
    tcp        0      0 10.161.241.1:53         0.0.0.0:*               LISTEN      4905/dnsmasq    
    tcp        0      0 0.0.0.0:4949            0.0.0.0:*               LISTEN      3672/perl       
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3540/sshd       
    tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      31537/smbd
    That machine is running a Samba server, ssh, and I know the 'perl' code is my systems monitor so another machine can pull statistics.
    • It is restricted in the munin config file to this machine or 1 other. Inside the /etc/munin/munin-node.conf file:
      Code:
      allow ^127\.0\.0\.1$
      allow ^172\.22\.22\.4$
    • The 10.161.x.x:53 DNS connection is to support lxd systems; it is non-routed.
    • The 5906 connection is to manage all the virtual machines running on the box. It is a type of VNC, but it can only be accessed through an ssh tunnel.
    • I'm positive about the connection filters for each of those processes. They are all limited to my subnet or even just localhost.


    The ssh connection isn't actually restricted to any subnet, but the router doesn't pass ssh traffic to the machine at all. All my ssh-servers (which is every Unix system here), have brute force denial protection and won't allow any connections without ssh-keys from outside the subnet. At the bottom of the /etc/ssh/sshd_config file:
    Code:
    PasswordAuthentication no
    Match Address 172.22.22.0/24,172.21.22.0/24,172.22.21.0/24
          PasswordAuthentication yes
    The "Match Address" line shows some of the subnets here. I wanted to ensure ssh access from my different LANs to this specific server machine. Desktops get a little messier because of all the crap that Canonical and the DEs run automatically so things will "just work". I
    disable much of those programs.

    On a 20.04 Mate-desktop that I do not have an active "X/Session" on,
    Code:
    $ sudo netstat -tulpn |grep LISTEN|grep -v 127
    tcp        0      0 0.0.0.0:4713            0.0.0.0:*               LISTEN      1318/pulseaudio     
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      822/sshd: /usr/sbin 
    tcp        0      0 0.0.0.0:6010            0.0.0.0:*               LISTEN      1321/sshd: tf@pts/0 
    tcp        0      0 0.0.0.0:6011            0.0.0.0:*               LISTEN      2845/sshd: tf@notty
    First, I've disabled IPv6, so daemons cannot use any IPv6 stuff. I'm just not ready for it.
    Three of those lines are ssh. I remote into systems over ssh all the time to run programs remotely.
    The pulseaudio thing is just for listening to audio or sounds. Pulse has some really weenie security to prevent remote users - actually, I wouldn't call it security.
    That's the total list of non-private services. I have 2 filters to the output - that's what those 'grep' commands do. There are lots of outbound connections for different purposes - moslty avahi announcements for printers, mdns, and some other service (DLNA?). Because they are broadcast on the LAN and not specific connections to external systems, I don't worry about them.

    To see active tcp connections, use:
    Code:
    $ netstat -t 
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 regulus:35860           zcs45:imaps             ESTABLISHED
    tcp        0      0 regulus:36026           zcs45:imaps             ESTABLISHED
    tcp        0      0 regulus:6011            localhost:55066         ESTABLISHED
    tcp        0      0 localhost:55066         regulus:6011            ESTABLISHED
    tcp        0      0 regulus:ssh             hadar:53492             ESTABLISHED
    tcp        0      0 regulus:ssh             hadar:39562             ESTABLISHED
    tcp        0      0 regulus:35862           108.177.122.16:imaps    CLOSE_WAIT
    regulus, zcs45, hadar are all systems on the LAN that I control.
    108.177.122.16 is google.com ... actually gmail. imaps is an encrypted connection to an email server. The way these connections work is that 1 side has a standard port and the other side picks a random port. Almost always, the random port is from a client and the standard port is to a server. From that list above, it is clear that
    Code:
    regulus ---> IMAP ---> zcs45
    regulus ---> IMAP ---> zcs45
    regulus ---> IMAP ---> gmail
    and
    Code:
    hadar ---> ssh ---> regulus
    hadar ---> ssh ---> regulus
    Those are all expected since I use IMAP for email and use ssh for almost everything else. But the bidirectional regulus and localhost connections are a little mystery. Since I'm on regulus, that means regulus == localhost so the system is using a private network to talk to the public network interface. Hummm. I talk to myself sometimes too. I'm not going to worry about it.

    BTW, the normal ports for the most popular daemons is stored in a text file - /etc/services. Take a look at it. Any service can decide to listen on any port, but most follow those numbers in that file. Any ports below 1024 must have the port opened by root. Any userid can open a port over 1024. It is a security thing.

    Clear as mud? My intent by showing all the nitty details wasn't to confuse. It was just to show why my three global firewall rules work, in general, for almost all situations.

  9. #9
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,576
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: how to manage firewall

    Code:
    PORT      STATE SERVICE
    53/tcp    open  domain
    80/tcp    open  http
    111/tcp   open  rpcbind
    139/tcp   open  netbios-ssn
    443/tcp   open  https
    445/tcp   open  microsoft-ds
    631/tcp   open  ipp
    1025/tcp  open  NFS-or-IIS
    1042/tcp  open  afrog
    2049/tcp  open  nfs
    3689/tcp  open  rendezvous
    5054/tcp  open  rlm-admin
    5900/tcp  open  vnc
    8000/tcp  open  http-alt
    8080/tcp  open  http-proxy
    8085/tcp  open  unknown
    9050/tcp  open  tor-socks
    10000/tcp open  snet-sensor-mgmt
    These aren't the normal programs a typical desktop user would run. Many are high risk and shouldn't be available over the internet without significant security wrappers. If you ran the nmap against "localhost", then you'll see both the ports available on the subnet AND only available to that specific machine. For someone running TOR, a bunch of those daemons seem anti-privacy and should be disabled. Running a web server and DNS server and VNC and NFS server and samba server on the same system just seems non-secure to me. But if they all only allow access no the local machine, then it isn't THAT big of a deal.

    I am concerned that you have VNC, but not ssh running. Please say that ssh is running on a non-standard port? Please.

  10. #10
    Join Date
    Sep 2013
    Beans
    110

    Re: how to manage firewall

    Thank you.

    Sorry for the delay, I was away for a couple days.

    I will admit, I am unable to follow 90% of what you wrote. I need far more education to understand what you are saying, and what conclusions I should draw from it.

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •