Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: [SOLVED] Which ports to involve with firewall?

  1. #1
    Join Date
    May 2024
    Beans
    48

    Lightbulb [SOLVED] Which ports to involve with firewall?

    if I use the common familiar Linux firewall stuff, how do I know which ports to edit?
    This is the main stumbling block I have so my systems end up insecure and the hackers in this area are fierce.

    Please help, if you can.

    I'm in between distros for now, so I have nothing in front of me yet.

    SOLVED: See posts by 'TheFu' in this thread.
    Thanks 'TheFu' ! Awesome response.
    Last edited by 909mjolnir; May 29th, 2024 at 11:12 PM. Reason: TheFu (user) posted a viable solution and referenced a file list

  2. #2
    currentshaft is offline Oops! My Coffee Cup is empty.
    Join Date
    May 2024
    Beans
    Hidden!

    Re: Which ports to involve with firewall?

    What do you mean by "edit"? Blocking ports is typically not necessary unless you're planning on vising untrusted networks, and even then the default Ubuntu installation does not really expose anything.

  3. #3
    Join Date
    May 2024
    Beans
    48

    Re: Which ports to involve with firewall?

    @currentshaft :

    Yeah, I've heard that before, years ago. But it just isn't true anymore. There's tone of articles since about 2019 talking about Linux's need for better security defaults and implementation. I can't find hardy any tutorials yet.

  4. #4
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: Which ports to involve with firewall?

    This looks interesting: https://safing.io/

    It will take a small learning curve.

  5. #5
    currentshaft is offline Oops! My Coffee Cup is empty.
    Join Date
    May 2024
    Beans
    Hidden!

    Re: Which ports to involve with firewall?

    Quote Originally Posted by 909mjolnir View Post
    @currentshaft :

    Yeah, I've heard that before, years ago. But it just isn't true anymore. There's tone of articles since about 2019 talking about Linux's need for better security defaults and implementation. I can't find hardy any tutorials yet.
    It is true. The burden is on you to provide objective evidence to the contrary. A vague first-hand recollection of some 5 year old "articles" does not suffice for the same. The lack of "hardy any tutorials [sic]" is proof you don't need to worry about this problem.

    If you want to care about security, that's great, but the network firewall is not something to concern yourself with, unless you travel to sketchy places, and even then the default set of services on Ubuntu presents no risk.

  6. #6
    Join Date
    Mar 2010
    Location
    /home
    Beans
    9,636
    Distro
    Xubuntu

    Re: Which ports to involve with firewall?

    Quote Originally Posted by 909mjolnir View Post
    if I use the common familiar Linux firewall stuff
    What does that mean?

    Are you using a GUI frontend?

    There are many threads on the forum that discuss ports and basic rules about what to block (or not).

    Would be worthwhile searching for them I think.

  7. #7
    Join Date
    Jun 2021
    Location
    Third rock from the sun.
    Beans
    Hidden!

    Re: Which ports to involve with firewall?

    i use GUFW which i enable then set to 'public' it does most of the basic 'firewall stuff' that is needed ..
    Nothing travels faster than the speed of light, with the possible exception of bad news, which obeys its own special laws. (Douglas Adams)

  8. #8
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Which ports to involve with firewall?

    For high security, block everything coming in and everything going out. Then open outbound ports in the firewall that are needed for the specific things you do.

    For example, do you want to connect to a mail server for reading and replying to email? That's usually port 465/tcp (SMTPs) and 993/tcp (IMAPS).

    Do you want to access remote websites? Those use post 80/tcp and 443/tcp, typically. Streaming videos may hop to a different port and may use UDP instead of TCP.
    You'll likely want DNS to be allowed. Depending on which type of DNS you use, that can be on port 53/udp or 53/tcp or if you use DNS-over-HTTPS, that would use 443/tcp.

    Want to print to a network printer? CUPS is usually on port 631/tcp.

    The major ports used for different network services are listed in the /etc/services file. May want to review that.

    CIFS, NFS, ssh, are a few other things commonly used.

    What most people do is to block all incoming connections, then allow all outbound connections on their workstations. Then they would add specific rules for the inbound network services only if needed. You can allow those for any systems on the same subnet or for specific IPs on the subnet. If you do specific IPs, then you'll need to have a well-managed network.
    For one of my LAN servers, here are all the inbound firewall rules
    Code:
    $ sudo ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    4949/tcp                   ALLOW       172.22.22.4               
    111                        ALLOW       172.22.22.0/24            
    2049                       ALLOW       172.22.22.0/24            
    22/tcp                     ALLOW       172.22.22.0/24            
    8096                       ALLOW       172.22.22.0/24            
    13025                      ALLOW       172.22.22.0/24            
    5353                       ALLOW       172.22.22.0/24            
    3142                       ALLOW       172.22.22.0/24             # apt-cacher-ng
    1900                       ALLOW       172.22.22.0/24             # DLNA
    6600                       ALLOW       172.22.22.0/24            
    123/udp                    ALLOW       172.22.22.0/24            
    7359/udp                   ALLOW       172.22.22.0/24             # Jellyfin Discovery UDP
    8000                       ALLOW       172.22.22.0/24             # Jellyfin TV Icons
    8181                       ALLOW       172.22.22.0/24
    Each was carefully selected for specific reasons. Another servers has these rules:
    Code:
    $ sudo ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    631                        ALLOW       172.22.22.0/24            # Printing
    22                         ALLOW       172.22.22.0/24            # ssh
    4949/tcp                   ALLOW       172.22.22.4
    5353/udp                   ALLOW       Anywhere                  # zeroconf/avahi/mdns
    2049                       ALLOW       172.22.22.0/24            # NFS
    13025                      ALLOW       172.22.22.0/24            # NFS
    111                        ALLOW       172.22.22.0/24            # ident
    My desktop has these rules:
    Code:
    $ sudo ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    22/tcp                     ALLOW       Anywhere                  
    4949/tcp                   ALLOW       172.22.22.4
    I figured seeing real examples would be helpful. These are only the rules controlled by UFW. I have some other rules that get added dynamically when using VPN software. My VPN server has a bunch of rules to allow connections between different subnets.

  9. #9
    currentshaft is offline Oops! My Coffee Cup is empty.
    Join Date
    May 2024
    Beans
    Hidden!

    Re: Which ports to involve with firewall?

    With all due respect, a traditional firewall as you've described is effectively 100% security theater which is not going to prevent Real Bad Things(tm) from happening.

    Local malware will just use TCP port 443, the same port which is allowed for web browsing.

    If anything, these sort of firewalls actually worsen security because they provide a false sense of protection, by creating a proverbial moat which appears impenetrable but is in reality a weak and meaningless boundary.

    If you want security, do not install and expose unnecessary services, and those which are exposed should use mutual authentication based on strong crypto. This is also known as "zero trust".

  10. #10
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Which ports to involve with firewall?

    Security is about layers. The first layer is always in the network, preventing access to attackers that don't have any need to have access. Home user's aren't banks. Avahi isn't really something that can be "authenticated", at least not today, so the best we can do is to prevent access by other clients outside the expected LAN. Of course, other protocols and tools DO support key-based authentication. Use keys/certs whenever possible. Avoid passwords when possible, but sometimes that's all we have available.

    BTW, you may notice that in my firewall rules, port 443 isn't open, so the only way that access would be allowed is if I'm running a web-clients that is accessing a remote server and opens a connection. 3rd parties don't get to ride that connection. They are blocked unlike with many home routers. Linux firewalls aren't THAT dumb.

    For example, here's a 3rd party trying to piggyback on a request, but being blocked ...
    Code:
    May 28 09:28:50 hadar kernel: [859693.112304] [UFW BLOCK] IN=br0 OUT= MAC=0c:9d:92:87:ce:13:00:0d:b9:41:67:05:08:00 SRC=213.186.33.19 DST=172.22.22.6 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=48698 DF PROTO=TCP SPT=443 DPT=33398 WINDOW=18 RES=0x00 ACK URGP=0
    This is an example for why we need both the router firewall AND the on-system, software firewall enabled. BTW, my router isn't a dumb consumer router, but clearly, it isn't blocking everything unwanted. If it was, then the desktop system would never have seen the request from OVH and needed to block it.

    Layers of security. That's the plan.

    For services that do have authentication, say ssh, preventing outsiders may not be needed, but there have been bugs, so I use tcp-wrappers and ssh-keys, in addition to the firewall blocks. I'm a belts AND suspenders person. I assume I'll make a human mistake from time to time and want the other layers of security to protect the service for those occasions.

    I also run a VPN for remote access rather than allowing things like NextCloud to sit on the internet. No VPN? No access to our family nextcloud server. Of course, inside the trusted, wired, network things different. However, wifi systems inside the building still have to use the VPN to authenticate to the network first. I know that wifi cannot be trusted. It has been proven over and over. Don't get me started about Bluetooth. Just-don't-use-it. They have marketing people who smile way too much, perhaps because they know how bad the security of it is. IDK.

    Belts and suspenders.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •