CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F12 Security Firewall

Department of Electrical and Computer Engineering
Associate Professor Gregory R. Kriehn
Forums
Wiki
F12 Firewall

Computers using the IP (Internet Protocol) require specific ports to communicate with each other based upon the type of network traffic that is being sent and/or received. The ports are classified as either TCP or UDP ports.

TCP Ports


TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.


TCP stands for Transmission Control Protocol. It is described in STD-7/RFC-793. TCP is a connection-oriented protocol that is responsible for reliable communication between two end processes. The unit of data transferred is called a stream, which is simply a sequence of bytes.


UDP Ports

connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. It is used primarily for broadcasting messages over a network.

UDP stands for User Datagram Protocol. It is described in STD-6/RFC-768 and provides a connectionless host-to-host communication path. UDP has minimal overhead: each packet on the network is composed of a small header and user data. It is called a UDP datagram.

See www.laynetworks.com/Comparative%20analysis_TCP%20Vs%20UDP.htm for further details.

Security

Leaving all of your TCP/IP and UDP/IP ports open is an extremely large security hole, since specific ports are frequently attacked by viruses and worms. Hence, a firewall is used to close up all of the ports, except those ports that are absolutely necessary for your network traffic. In Fedora, the firewall is provided by iptables, which can be configured with the firewall configuration file /etc/sysconfig/iptables. This computer is to be setup as a server with the following active network services/applications:

Service/Application Linux Program Required Ports (TCP) Required Ports (UDP)
Bittorent bittorrent 6881:6999 6881
E-Mail Server sendmail 25 -
Network File Systems nfs 111, 2049, 4000:4003 111, 2049, 4000:4003
POP3 Server dovecot 110 -
rsync Server rsync 873 -
Samba Server smb, nmb 139 137:138
Secure Shell Login ssh 22 -
Secure FTP Server
vsftp
220
-
Web Server (Apache) httpd 80 -
SSL Web Server
httpd
443
-

There are some subtleties here — the largest being that I am not using TCP Port 445 for the Samba Server. TCP port 445 is only necessary if you are running winbind because you need to request user and system information from different database services (such as NIS or DNS), where resolving user and group information from a Windows NT server is necessary. This is something that I do not need, and since Port 445 has become the target of LSASS exploiting worms like Sasser and Korgo (www.linklogger.com/TCP445.htm), I'm keeping it shut. The exact ports to be opened for NFS are dependent upon whether the computer is serving NFS files or just acting as a client. I will discuss these details in every service's and application's respective section, but sufficient to say, with the above knowledge it is of use to poke holes for the firewall now. If there is a problem when the services and applications are actually configured, at least it will not be because the firewall will not allow for the network connection to be established (which is a common mistake).

Edit the firewall configuration file using sudo:
~> sudo emacs /etc/sysconfig/iptables
I will not go into details here about the syntax for adding firewall rules to iptables — it's complicated. Very. Just make sure that the following lines are present. This will allow for openings in the necessary TCP and UDP ports for the aforementioned services and applications. Also, note that the syntax has changed slightly compared to Fedora 8.
# Allow ssh Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Allow sendmail Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

# Allow Web Server (http/https) Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# Allow POP3 Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT

# Allow NFS Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4000:4003 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4000:4003 -j ACCEPT

# Allow vsftp Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 220 -j ACCEPT

# Allow rsync Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 873 -j ACCEPT

# Allow Samba Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137:138 -j ACCEPT

# Allow Bittorrent Connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6881:6999 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 6881 -j ACCEPT

-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Make sure that the last three lines are indeed the very last two lines of the file, unless you want some of your firewall rules to be ignored. Save and exit.

Now it is time to restart the firewall using iptables.
~> sudo service iptables restart
You should see the daemon successfully stop and restart:
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
If you want to check to see if the ports are open, use the nmap command:
~> nmap localhost
You will then be given a list of open ports:
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-06 12:36 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1683 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
631/tcp  open  ipp
873/tcp  open  rsync
2049/tcp open  nfs
3306/tcp open  mysql
4000/tcp open  remoteanything
4002/tcp open  mlchat-proxy
8000/tcp open  http-alt

Nmap finished: 1 IP address (1 host up) scanned in 0.1 seconds
That's it! iptables is now properly configured for the above services and applications.