Are ports above 1024 closed by default ?

firefox211 · October 30, 2008, 1:36pm

Hi guys,

Just needed to know if all the ports above 1024 are closed by default. I know that below 1024 the ports are reserved for the kernel and ports above 1024 are reserved for user applications.

But by default, if I do not have a rule in my firewall to block ports above 1024, Will my system accept incoming or outgoing traffic?. (I think outgoing YES).

I am running CentOS 4.x

Thanks for reading !!

jim_mcnamara · October 30, 2008, 2:08pm

RFC 1700 does not seem to think the way you do about ports -
http://www.ietf.org/rfc/rfc1700.txt

Do you not have a default action for ports? Maybe your filrewall has one builtin.

firefox211 · October 30, 2008, 2:28pm

I have the following rule in my firewall to deny all ports which we do not need upto 1024.

-A INPUT -p udp --dport 0:1024 -j REJECT
-A INPUT -p tcp --dport 0:1024 -j REJECT

Do I need to have a rule to deny all port above 1024 ? Or are they blocked by default ?

Thanks

nobo · October 31, 2008, 6:25am

Nothing is blocked by default.

To see what processes are listening on what ports, use netstat, eg for a telephony server @ my shop:

[root@server ~]# netstat -tlnp | head -5
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      PID/Program name
tcp        0      0 0.0.0.0:199                 0.0.0.0:*                   LISTEN      30962/snmpd
tcp        0      0 0.0.0.0:8009                0.0.0.0:*                   LISTEN      6051/java
tcp        0      0 0.0.0.0:4201                0.0.0.0:*                   LISTEN      6051/java
[root@server ~]# netstat -ulnp | head -5
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      PID/Program name
udp        0      0 0.0.0.0:19342               0.0.0.0:*      6123/asterisk
udp        0      0 0.0.0.0:19343               0.0.0.0:*      6123/asterisk
udp        0      0 0.0.0.0:161                 0.0.0.0:*      30962/snmpd
[root@server ~]#

As you can see, this is listening on ports over 1024. There are many other things to notice. 'man netstat' for more options.

This is much more important than your firewall. Turn off all but unneccessary services. For instance, I betcha that "cupsd" is running. You don't want that unless the box in question is a printserver, listening on the IP associated w/the configured interface.

As to your firewall, you're going about the whole thing the wrong way. You want to DROP packets by default, then add your allow rules. To this end, this is typically found at the beginning of a firewall script / config file:

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]

BTW, "DROP" is pref'd over "REJECT". REJECT returns a "nobody home". DROP drops the packets silently. Suggest you man iptables. Google the "Unreliable Guides" by the module's author. Also, there are many sample firewalls out there.

regards
nobo

firefox211 · October 31, 2008, 2:55pm

Thanks nobo !