linux - Opening firewall to incoming port 443

07
2014-04
  • jrdioko

    I recently set up the ufw firewall on a Linux machine so that outgoing connections are allowed, incoming connections are denied, and denied connections are logged. This seems to work fine for most cases, but I see many denied connections that are incoming on port 443 (many with IPs associated with Facebook).

    I can open that port to incoming connections, but first wanted to ask what these could be. Shouldn't HTTPS requests be initiated by me and be treated as outbound, not inbound connections? Is it typical to open incoming port 443 on consumer firewalls?

    An example log entry:

    [UFW BLOCK] IN=wlan0 OUT= MAC=XXX SRC=66.220.151.87 DST=192.168.1.32 LEN=473 TOS=0x00 PREC=0x00 TTL=83 ID=59450 DF PROTO=TCP SPT=443 DPT=58530 WINDOW=33 RES=0x00 ACK PSH URGP=0
    • Answers
  • Paul

    The packets you are seeing are response packets:

    PROTO=TCP SPT=443 DPT=58530

    Note the SPT - source port - is 443. When you are accessing a remote https site, you are sending packets with a DPT - destination port - of 443, any replies you get from that site will originate from their IP and from source port 443.

    By far and away the most common reason for seeing these packets is after you close a session to the remote site, and your firewall observes this and clears the session from its table of active connections. Sometime due to timing, or poor implementation of TCP at the remote end, or duplicate packets, or loadbalancers sending the same reply, you can get extra packets for a session after the close sequence has completed.

    Your firewall doesn't have an active session for these packets to match any more, and so they are dropped, and logged as you are seeing them.

    They can be safely ignored. Do not adjust your firewall to permit these packets, as it opens unnecessary holes in your security.


    • Related Question

    Is opening ports in the firewall bad?
  • Steven

    From what little I know about networking, opening ports lets external data get sent in. But how that data is handled is entirely up to the applications running on my machine. So if I'm not running any malicious applications, there should be nothing wrong with disabling the firewall, right? Also, how do applications work when ports aren't forwarded? For example, I need to forward port TCP 6112 to host Blizzard games, but I've heard that HTTP uses port 80, but I haven't forwarded that port, yet Firefox still works. Btw I'm using Windows Vista.


    • Related Answers
  • JMD

    Technically speaking, the only dangerous open port is one on which there is malicious software accepting connections without your knowledge. An open port in your firewall (allowing incoming connection requests) is not a threat at all if there is nothing on your side of the firewall listening for those requests.

    The reality is that we all need to run multi-layered security which includes closing "unnecessary" ports so that they cannot be co-opted by malicious software. I.e. you would never knowingly install malicious software which would answer those inbound connection requests, but that's part of the social engineering aspect of malicious software: finding a way to convince people to install it so that it can find those open ports and hijack them.

    In essence, opening ports isn't "bad", it's just necessary and should only be done individually on a case by case basis.

  • John T

    HTTP uses port 80 for listening on the server side (incoming connections). You aren't hosting a web server, using Firefox to browse is different (outgoing connections). I'd keep the firewall on regardless. You're right in the aspect that an application needs to be listening, but if you download malicious software you've made that aspect even easier for the writer of the software to connect back and communicate with an IRC server for example to control your machine. Since the ports are already open, it can communicate on pretty much any one it wants with the exception of used ports.

    If you're hosting a service (game server for example) you'll need to open ports for other users to connect. Since it's trusted software you have listening for connections there shouldn't be a problem. If you want to be extra cautious though, disable the port forwarding rule in the router when you're done with the server.

  • Peter Mortensen

    Not unless you know what ports and who'll be using the ports.

    Port opening is necessary if you want to do it manually, if not that's what UPnP is for. But I strongly advise against UPnP.

    I'd like to think manually opening ports is safer than allowing applications do it for you.