F12 Firewall

---

Computers using the IP (Internet Protocol) require specific ports to communicate with each other based upon the type of network traffic that is being sent and/or received. The ports are classified as either TCP or UDP ports.

TCP Ports

---

TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

TCP stands for Transmission Control Protocol. It is described in STD-7/RFC-793. TCP is a connection-oriented protocol that is responsible for reliable communication between two end processes. The unit of data transferred is called a stream, which is simply a sequence of bytes.

UDP Ports

---

A connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. It is used primarily for broadcasting messages over a network.

UDP stands for User Datagram Protocol. It is described in STD-6/RFC-768 and provides a connectionless host-to-host communication path. UDP has minimal overhead: each packet on the network is composed of a small header and user data. It is called a UDP datagram.

See www.laynetworks.com/Comparative%20analysis_TCP%20Vs%20UDP.htm for further details.

Security

---

Leaving all of your TCP/IP and UDP/IP ports open is an extremely large security hole, since specific ports are frequently attacked by viruses and worms. Hence, a firewall is used to close up all of the ports, except those ports that are absolutely necessary for your network traffic. In Fedora, the firewall is provided by iptables, which can be configured with the firewall configuration file /etc/sysconfig/iptables. This computer is to be setup as a server with the following active network services/applications:

Service/Application	Linux Program	Required Ports (TCP)	Required Ports (UDP)
Bittorent	bittorrent	6881:6999	6881
E-Mail Server	sendmail	25	-
Network File Systems	nfs	111, 2049, 4000:4003	111, 2049, 4000:4003
POP3 Server	dovecot	110	-
rsync Server	rsync	873	-
Samba Server	smb, nmb	139	137:138
Secure Shell Login	ssh	22	-
Secure FTP Server	vsftp	220	-
Web Server (Apache)	httpd	80	-
SSL Web Server	httpd	443	-

There are some subtleties here — the largest being that I am not using TCP Port 445 for the Samba Server. TCP port 445 is only necessary if you are running winbind because you need to request user and system information from different database services (such as NIS or DNS), where resolving user and group information from a Windows NT server is necessary. This is something that I do not need, and since Port 445 has become the target of LSASS exploiting worms like Sasser and Korgo (www.linklogger.com/TCP445.htm), I'm keeping it shut. The exact ports to be opened for NFS are dependent upon whether the computer is serving NFS files or just acting as a client. I will discuss these details in every service's and application's respective section, but sufficient to say, with the above knowledge it is of use to poke holes for the firewall now. If there is a problem when the services and applications are actually configured, at least it will not be because the firewall will not allow for the network connection to be established (which is a common mistake).

Edit the firewall configuration file using sudo: I will not go into details here about the syntax for adding firewall rules to iptables — it's complicated. Very. Just make sure that the following lines are present. This will allow for openings in the necessary TCP and UDP ports for the aforementioned services and applications. Also, note that the syntax has changed slightly compared to Fedora 8. Make sure that the last three lines are indeed the very last two lines of the file, unless you want some of your firewall rules to be ignored. Save and exit.

Now it is time to restart the firewall using iptables. You should see the daemon successfully stop and restart: If you want to check to see if the ports are open, use the nmap command: You will then be given a list of open ports: That's it! iptables is now properly configured for the above services and applications.