Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: [SOLVED] Which ports to involve with firewall?

  1. #11
    Join Date
    May 2024
    Beans
    Hidden!

    Re: Which ports to involve with firewall?

    Quote Originally Posted by TheFu View Post
    Security is about layers. The first layer is always in the network, preventing access to attackers that don't have any need to have access. Home user's aren't banks. Avahi isn't really something that can be "authenticated", at least not today, so the best we can do is to prevent access by other clients outside the expected LAN. Of course, other protocols and tools DO support key-based authentication. Use keys/certs whenever possible. Avoid passwords when possible, but sometimes that's all we have available.
    Attackers already don't have access to internal networks due to NAT: that IS the security defense against outside threats. No one can reach your computer from the Internet unless you enable port forwarding or other means of access explicitely.

    Quote Originally Posted by TheFu View Post
    BTW, you may notice that in my firewall rules, port 443 isn't open, so the only way that access would be allowed is if I'm running a web-clients that is accessing a remote server and opens a connection. 3rd parties don't get to ride that connection. They are blocked unlike with many home routers. Linux firewalls aren't THAT dumb.
    I don't understsand what this means. Linux firewalls ARE that dumb. They are not layer 7; they have no idea what application is talking to what. They know ports and IP addresses, that's it. When you open your firewall for "accessing a remote server", so does the malware. This is all, by the way, assuming the malware doesn't have root (which is trivial to get on Linux) and just ignores your firewall altogether.

    Quote Originally Posted by TheFu View Post
    For example, here's a 3rd party trying to piggyback on a request, but being blocked ...
    Code:
    May 28 09:28:50 hadar kernel: [859693.112304] [UFW BLOCK] IN=br0 OUT= MAC=0c:9d:92:87:ce:13:00:0d:b9:41:67:05:08:00 SRC=213.186.33.19 DST=172.22.22.6 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=48698 DF PROTO=TCP SPT=443 DPT=33398 WINDOW=18 RES=0x00 ACK URGP=0
    What's hilarious about this example is you're actually showing a return packet from a server being blocked to you. Which means your computer has already sent a packet to that server, which you allegedly "block". Oops!

    Quote Originally Posted by TheFu View Post
    This is an example for why we need both the router firewall AND the on-system, software firewall enabled. BTW, my router isn't a dumb consumer router, but clearly, it isn't blocking everything unwanted. If it was, then the desktop system would never have seen the request from OVH and needed to block it.

    Layers of security. That's the plan.
    Layers of security which make sense. Having two firewalls, with one of them on a device behind a trusted NAT, makes zero sense. It is the equivalent of using multiple full disk encryption methods when LUKS does a fine job. Sorry, but you have not demonstrated the value of the same to me.

    Quote Originally Posted by TheFu View Post
    For services that do have authentication, say ssh, preventing outsiders may not be needed, but there have been bugs, so I use tcp-wrappers and ssh-keys, in addition to the firewall blocks. I'm a belts AND suspenders person. I assume I'll make a human mistake from time to time and want the other layers of security to protect the service for those occasions.
    Okay, but where is the limit? Why not have three layers of security, or four, or five? Because of diminishing returns, added complexity and possibly even increased attack surface from it.

    Quote Originally Posted by TheFu View Post
    I also run a VPN for remote access rather than allowing things like NextCloud to sit on the internet. No VPN? No access to our family nextcloud server. Of course, inside the trusted, wired, network things different. However, wifi systems inside the building still have to use the VPN to authenticate to the network first. I know that wifi cannot be trusted. It has been proven over and over. Don't get me started about Bluetooth. Just-don't-use-it. They have marketing people who smile way too much, perhaps because they know how bad the security of it is. IDK.

    Belts and suspenders.
    That's great, and for remote access those tools have a place. We're discussing a machine on a trusted local network behind a NAT that's not running any public services. It does not need a firewall applied.

  2. #12
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Which ports to involve with firewall?

    Quote Originally Posted by currentshaft View Post
    Attackers already don't have access to internal networks due to NAT: that IS the security defense against outside threats. No one can reach your computer from the Internet unless you enable port forwarding or other means of access explicitely.
    Uh ... you can believe that if you like. I know different. I've seen it. NAT isn't a firewall. People are confused about that. I've seen traffic from outside get inside a LAN that had no external ports open or forwarded. This was at a client's office. They did DoD work from IPs that didn't have any domain name assigned beyond the ISP subnet as a way to obscure who they were.

    Security issues often break down to who understands the RFC better and which side understands the specifications. Often, there are things NOT in the RFCs, so specific implementations ignore those aspects, leaving security issues.

    For a home network, whether a firewall is needed on each system depends on many possible things, including the risks and likely attackers.

    Lots of people definitely run their LAN systems without a firewall on each computer. That's their choice. When they take their laptop into the world, they definitely NEED a firewall enabled. I think we can agree on that.

  3. #13
    Join Date
    May 2024
    Beans
    28

    The Antwerd (answer) Which firewall ports?

    @TheFu

    My god, man, you have the answer.
    I don't know how anybody ever learns this stuff.
    It's not exactly common knowledge.

    Thanks so much.
    I will see if I can give it a go eventually.
    I don't want to mess up my internet.

    But thanks! Seems like the answer.

    Quote Originally Posted by TheFu View Post
    For high security, block everything coming in and everything going out. Then open outbound ports in the firewall that are needed for the specific things you do.

    For example, do you want to connect to a mail server for reading and replying to email? That's usually port 465/tcp (SMTPs) and 993/tcp (IMAPS).

    Do you want to access remote websites? Those use post 80/tcp and 443/tcp, typically. Streaming videos may hop to a different port and may use UDP instead of TCP.
    You'll likely want DNS to be allowed. Depending on which type of DNS you use, that can be on port 53/udp or 53/tcp or if you use DNS-over-HTTPS, that would use 443/tcp.

    Want to print to a network printer? CUPS is usually on port 631/tcp.

    The major ports used for different network services are listed in the /etc/services file. May want to review that.

    CIFS, NFS, ssh, are a few other things commonly used.

    What most people do is to block all incoming connections, then allow all outbound connections on their workstations. Then they would add specific rules for the inbound network services only if needed. You can allow those for any systems on the same subnet or for specific IPs on the subnet. If you do specific IPs, then you'll need to have a well-managed network.
    For one of my LAN servers, here are all the inbound firewall rules
    Code:
    $ sudo ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    4949/tcp                   ALLOW       172.22.22.4               
    111                        ALLOW       172.22.22.0/24            
    2049                       ALLOW       172.22.22.0/24            
    22/tcp                     ALLOW       172.22.22.0/24            
    8096                       ALLOW       172.22.22.0/24            
    13025                      ALLOW       172.22.22.0/24            
    5353                       ALLOW       172.22.22.0/24            
    3142                       ALLOW       172.22.22.0/24             # apt-cacher-ng
    1900                       ALLOW       172.22.22.0/24             # DLNA
    6600                       ALLOW       172.22.22.0/24            
    123/udp                    ALLOW       172.22.22.0/24            
    7359/udp                   ALLOW       172.22.22.0/24             # Jellyfin Discovery UDP
    8000                       ALLOW       172.22.22.0/24             # Jellyfin TV Icons
    8181                       ALLOW       172.22.22.0/24
    Each was carefully selected for specific reasons. Another servers has these rules:
    Code:
    $ sudo ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    631                        ALLOW       172.22.22.0/24            # Printing
    22                         ALLOW       172.22.22.0/24            # ssh
    4949/tcp                   ALLOW       172.22.22.4
    5353/udp                   ALLOW       Anywhere                  # zeroconf/avahi/mdns
    2049                       ALLOW       172.22.22.0/24            # NFS
    13025                      ALLOW       172.22.22.0/24            # NFS
    111                        ALLOW       172.22.22.0/24            # ident
    My desktop has these rules:
    Code:
    $ sudo ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    22/tcp                     ALLOW       Anywhere                  
    4949/tcp                   ALLOW       172.22.22.4
    I figured seeing real examples would be helpful. These are only the rules controlled by UFW. I have some other rules that get added dynamically when using VPN software. My VPN server has a bunch of rules to allow connections between different subnets.

  4. #14
    Join Date
    May 2024
    Beans
    28

    Re: [SOLVED] Which ports to involve with firewall?

    One thing to keep in mind, sometimes people hack us Linux guys, and some of them pass themselves off as doing technical support for us when we get clobbered. So beware.

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •