Firewall 101, what ports do I need to let through ?

TIMFOX123
TIMFOX123 used Ask the Experts™
on
If you look through the "code" section of this question, you will see an example system that I have on my lab.  It is just a very minimal redhat box without X.  

Now for the question, what ports do I need to let through my firewall ?  If I only have 1 interface, then logically it seems that if a port is up it should be let through.  Otherwise I should stop the service and the port.

Do I only need to let the ports listed in /etc/services through or all the ports ?  NFS takes 5 ports, if I want to share out NFS, should I let all 5 through ?

Inquiring minds want to know.

[root@localhost ~]# netstat -tnlupan 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:932                 0.0.0.0:*                   LISTEN      1598/rpc.statd      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1562/portmap        
tcp        0      0 :::22                       :::*                        LISTEN      1802/sshd           
tcp        0      0 ::ffff:192.168.122.252:22   ::ffff:192.168.122.1:41174  ESTABLISHED 967/0               
udp        0      0 0.0.0.0:58624               0.0.0.0:*                               1903/avahi-daemon:  
udp        0      0 0.0.0.0:926                 0.0.0.0:*                               1598/rpc.statd      
udp        0      0 0.0.0.0:929                 0.0.0.0:*                               1598/rpc.statd      
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               1445/dhclient       
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               1903/avahi-daemon:  
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               1562/portmap        
udp        0      0 :::52312                    :::*                                    1903/avahi-daemon:  
udp        0      0 :::5353                     :::*                                    1903/avahi-daemon:  
[root@localhost ~]# netstat -tnlupan | awk '/:/ {print $4}'
0.0.0.0:932
0.0.0.0:111
:::22
::ffff:192.168.122.252:22
0.0.0.0:58624
0.0.0.0:926
0.0.0.0:929
0.0.0.0:68
0.0.0.0:5353
0.0.0.0:111
:::52312
:::5353

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:
I would say that what ports you let through the firewall depends on what services you want to offer to the outside world.  

You seem to be listening on quite a few ports.   I'm not 100% sure what each of these ports belongs to though....  

Now, when you speak firewall, are you referring to a perimeter device or to the local iptables, or both?  

Author

Commented:
I am asking to learn.  Teach me to fish and I eat for a lifetime.

It would be good to know both.




Top Expert 2010
Commented:
Very well grasshopper....  

Although, a full explanation of firewalls is far and above what we can hope to discover here...  

Most linux systems will have iptables installed.   Iptables is a "firewall" style application what will allow protocols and ports to connect to the host system.   It's essentially a firewall for the 1 device.    However, you can create a 2 interface host and let IPTABLES handle traffic going through the device basically getting you a perimeter firewall that can control traffic going through it.  

A perimeter firewall appliance (i.e. Cisco ASA, Sonicwall, Checkpoint) are devices that sit on the perimeter of the network.  THese devices also allow ports/protocols into the internal networks, polus will also handle controlling outbound traffic, address translation, usually they do VPN terminations (where a client connects to the edge device and has access to all internal hosts).      The perimeter devices can get expensive too.    

The idea behind any successful firewall setup is to be as restrictive as possible.    If you only want to publish a www server to the public, then all you want to allow though is port 80 traffic to that 1 host.    No need to open up a large range of services if they are never going to be used....  

Most firewall setups include the creation of 'security zones'   The 'public' zone is outside the network and never to be trusted.   'Inside' zone is the internal lan and can be trusted.   'DMZ' is a zone setup in between the inside and outside where hosts that will service the public are usually setup.   One would usually only allow traffic from the public into the dmz.... never directly into the inside if it can be avoided.  

The ports that need to be opened depend on the applications you want to publish.   Most are fairly well known... port 80 = www, 443=https, 25 = smtp, but ports can be configured differently depending on your needs.   Again, only open ports for traffic that you want to allow.   If you're not running a web server, dont open port 80.

There are many books written on this subject and go into much more detail than what I can do here in a few paragraphs.   That littel bit that I wrote could easily be expanded into several essays.  

So if you want to learn about this, get ready to start reading:
http://www.windowsnetworking.com/articles_tutorials/Firewalls-101.html
http://www.iamwhen.com/archives/90-Computer-Security-101-Part-7-Personal-Firewall.html
http://www.informit.com/articles/article.aspx?p=170452
http://www.firewalls.com/blog/firewalls-101-the-hardware-firewall-explained.html

That's just for starters....

The ports you need to open depend on the services you want to publish.  


Commented:
on all the firewalls i setup, i let the following services out to the internet from the users:

port 22, 80, 443.
your public servers will need be able to talk on ports 25 and 53 to send mail and do DNS.

for companies that use ftp you need to allow 21.  That is about it.  

Now if you have a firewall between servers in your network you are going to need a lot more ports.

port 445 is for network file sharing, and then port 53 is for dns, 25 for mail, ... i could go on.  You just need to know what services are NEEDed for company usage.  Yeah, i want UDP port 554, but that is for streaming video and in most cases, wastes company bandwidth and is blocked.

When i setup a firewall, i determine what servers i have, and then what ports they use.  Then only allow connections on those ports, to those servers.  

Say i have a FTP server, i would only allow access to that server on TCP ports 20 and 21.
Your DNS server only needs UDP port 53 allowed to it.

Best Practices states that you should block everything, then allow each service (or port) on a need basis.  

Once you block all the ports, you can usually look at your firewall logs and see what ports are trying to be used.

Author

Commented:
Grasshopper very impressed.

Teacher very old :)

Teacher actually very smart.  Very good answer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial