​Hi,


Thanks to all who have been explaining mDNS nssswitch, etc.


I had not realised how 'chatty' our computers have become.


If I go to the local coffee shop and connect my laptop to their WiFi,
which incoming and now outgoing ports should I have blocked to ensure
that no nefarious people are able to communicate with my laptop?



For some of my servers I block all "low ports" 0-1023 for both
incoming and outgoing ports, only opening whatever ports are actually
required (incoming ports for the server's services, outgoing ports for
DNS, software updating, etc). I have left "high ports" 1024-65535
open.



My understanding of networking was:  


Low ports are used for services listening for incoming traffic to
establish communications, high ports are used when comminations with a
service has been established and on going communication will continue
and so it is agreed that the communications will continue on a new,
high port number (ephemeral).  


For example, a request for an FTP transfer will start on port 21, but
the actual transfer/s will be move to using a high port number,
freeing port 21 for listening for new incoming FTP requests.


If my computer's services start communicating on high ports, for
example, mDNS uses port 5353/udp, then I expect I should block these
high ports to/from the Internet. 


Which brings me back to "what ports" are systems today using? mDNS is
news to me, and ignorantly I have never thought of the implications of
UPnP even though I new it existed as a technology.


Hence which high ports should be blocked in the Internet firewall to
outgoing and/or incoming traffic?


I am only familiar with the idea of "low ports" 0-1023 and "high
ports" 1024-65535, dating back to the 1990's, so I guess things
'might' have changed since then.


Previously I only blocked "low ports" 0-1023, and leave high ports not
blocked, but now that services are using ports above 1023, should I be
blocking more ports?



https://en.wikipedia.org/wiki/Port_(computer_networking)
The well-known ports (also known as system ports) are those numbered
from 0 through 1023.
The registered ports are those from 1024 through 49151. IANA maintains
the official list of well-known and registered ranges.[3]
The dynamic or private ports are those from 49152 through 65535. One
common use for this range is for ephemeral ports.

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports



Though I find different interpretations as to the use of various
ports:


https://support.checkpoint.com/results/sk/sk156852
The different type of ports:
    Low: Reserved ports for services that require ports from 600 to
1024.
    High: Ports for general use, from 10,000 to 60,000.
    Extra: Reserved ports for VoIP connections, from 60,000 and
above.



This comment made me smile:
"Ports numbered 64000 (an arbitrary number which might be varied as a
result of experience) or above will not be blocked because, as far as
UIS is aware, these have not so far been used for malicious activities
to any extent. "

https://help.uis.cam.ac.uk/service/network-services/techref/portblocking



Other sources:


https://support.huawei.com/enterprise/en/doc/EDOC1100297670


High-Risk Ports: What Are the Common High-Risk Ports and How to Block
Them


https://support.microsoft.com/en-au/topic/preventing-smb-traffic-from-lateral-connections-and-entering-or-leaving-the-network-c0541db7-2244-0dce-18fd-14a3ddeb282a
Perimeter hardware and appliance firewalls that are positioned at the
edge of the network should block unsolicited communication (from the
internet) and outgoing traffic (to the internet) to the following
ports.


https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-mDNS-Dienste/Offene-mDNS-Dienste_node.html
Multicast DNS (mDNS) is used for resolving host names to IP addresses
within small networks that do not include a local DNS server. It is
implemented e. g. by the Apple 'Bonjour' and Linux/BSD 'Avahi'
(nss-mdns) services. mDNS uses port 5353/udp.


https://www.sprocketsecurity.com/resources/why-no-workstation-needs-inbound-smb Why no Workstation Needs Inbound SMB


https://nordvpn.com/blog/what-is-upnp/
What is UPnP and why you should disable it immediately


https://www.hackercombat.com/the-universal-plug-plays-unending-security-nightmare/
The Universal Plug & Play’s Unending Security Nightmare
What made UPnP vulnerabilities as effective attack surface/loophole is
the tyranny of the default.



George

<html>
<head>
<style type="text/css">
body,p,td,div,span{
font-size:13px; font-family:Arial, Helvetica, sans-serif;
};
body p{
margin:0px;
}
</style>
</head>
<body>
<div>​Hi,</div><div><br></div><div>Thanks to all who have been explaining mDNS nssswitch, etc.</div><div><br></div><div>I had not realised how 'chatty' our computers have become.</div><div><br></div><div>If I go to the local coffee shop and connect my
laptop to their WiFi, which incoming and now outgoing ports should I have blocked to ensure that no nefarious people are able to communicate with my laptop?<br></div><div><br></div><div>For some of my servers I block all "low ports"&nbsp;0-1023 for both
incoming and outgoing ports, only opening whatever ports are actually required (incoming ports for the server's services, outgoing ports for DNS, software updating, etc). I have left "high ports" 1024-65535 open.<br></div><div><br></div><div>My
understanding of networking was:&nbsp;&nbsp;</div><div><br></div><div>Low ports are used for services listening for incoming traffic to establish communications, high ports are used when comminations with a service has been established and on going
communication will continue and so it is agreed that the communications will continue on a new, high port number (ephemeral).&nbsp;&nbsp;</div><div><br></div><div>For example, a request for an FTP transfer will start on port 21, but the actual transfer/s
will be move to using a high port number, freeing port 21 for listening for new incoming FTP requests.</div><div><br></div><div>If my computer's services start communicating on high ports, for example, mDNS uses port 5353/udp, then I expect I should
block these high ports to/from the Internet.&nbsp;</div><div><br></div><div>Which brings me back to "what ports" are systems today using? mDNS is news to me, and ignorantly I have never thought of the implications of UPnP even though I new it existed as
a technology.</div><div><br></div><div><div>Hence which high ports should be blocked in the Internet firewall to outgoing and/or incoming traffic?</div><div><br></div><div>I am only familiar with the idea of "low ports" 0-1023 and "high ports" 1024-65535,
dating back to the 1990's, so I guess things 'might' have changed since then.</div><div><br></div><div>Previously I only blocked "low ports" 0-1023, and leave high ports not blocked, but now that services are using ports above 1023, should I be blocking
more ports?<br></div><div><br></div><div>https://en.wikipedia.org/wiki/Port_(computer_networking)<br>The well-known ports (also known as system ports) are those numbered from 0 through 1023.<br>The registered ports are those from 1024 through 49151. IANA
maintains the official list of well-known and registered ranges.[3]<br>The dynamic or private ports are those from 49152 through 65535. One common use for this range is for ephemeral ports. <br><br>https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_
numbers#Well-known_ports<br></div><div><br></div><div>Though I find different interpretations as to the use of various ports:</div><div><br></div><div>https://support.checkpoint.com/results/sk/sk156852<br>The different type of ports:<br>&nbsp;&nbsp;&nbsp;
Low: Reserved ports for services that require ports from 600 to 1024.<br>&nbsp;&nbsp;&nbsp; High: Ports for general use, from 10,000 to 60,000.<br>&nbsp;&nbsp;&nbsp; Extra: Reserved ports for VoIP connections, from 60,000 and above.<br></div><div><br></

<div>This comment made me smile:</div><div>"Ports numbered 64000 (an arbitrary number which might be varied as a

result of experience) or above will not be blocked because, as far as
UIS is aware, these have not so far been used for malicious activities
to any extent. "<br></div><div>https://help.uis.cam.ac.uk/service/network-services/techref/portblocking<br></div><div><br></div><div>Other sources:</div><div><br></div><div>https://support.huawei.com/enterprise/en/doc/EDOC1100297670<br></div></div><div>
High-Risk Ports: What Are the Common High-Risk Ports and How to Block Them</div><div><br></div><div>https://support.microsoft.com/en-au/topic/preventing-smb-traffic-from-lateral-connections-and-entering-or-leaving-the-network-c0541db7-2244-0dce-18fd-
14a3ddeb282a<br>Perimeter hardware and appliance firewalls that are positioned at the edge of the network should block unsolicited communication (from the internet) and outgoing traffic (to the internet) to the following ports.</div><div><br></div><div>
https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-mDNS-Dienste/Offene-mDNS-Dienste_node.html</div><div>Multicast DNS (mDNS) is used for resolving host names to IP
addresses
within small networks that do not include a local DNS server. It is implemented e. g. by the Apple 'Bonjour' and Linux/BSD 'Avahi'
(nss-mdns) services. mDNS uses port&nbsp;5353/udp.</div><div><br></div><div>https://www.sprocketsecurity.com/resources/why-no-workstation-needs-inbound-smb<br>Why no Workstation Needs Inbound SMB</div><div><br></div><div>https://nordvpn.com/blog/what-is-
upnp/<br>What is UPnP and why you should disable it immediately</div><div><br></div><div>https://www.hackercombat.com/the-universal-plug-plays-unending-security-nightmare/<br>The Universal Plug &amp; Play’s Unending Security Nightmare<br>What made UPnP
vulnerabilities as effective attack surface/loophole is the tyranny of the default. <br></div><div><br></div><div>George</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br>
</div><div><br></div>
</body></html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 8/4/24 06:48, jeremy ardley wrote:

On 4/08/2024 12:26 pm, George at Clug wrote:

If I go to the local coffee shop and connect my laptop to their WiFi,
which incoming and now outgoing ports should I have blocked to ensure
that no nefarious people are able to communicate with my laptop

The rules for public networks are very simple.

- Allow all outgoing traffic

On a laptop, inbound connections should be restricted unless you want
services to be accessible on your laptop by way of FWing and and
securing the services.

Outbound connections is up to you.

--
John Doe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sunday, 04-08-2024 at 16:15 john doe wrote:

On 8/4/24 06:48, jeremy ardley wrote:

On 4/08/2024 12:26 pm, George at Clug wrote:

If I go to the local coffee shop and connect my laptop to their WiFi,
which incoming and now outgoing ports should I have blocked to ensure
that no nefarious people are able to communicate with my laptop

The rules for public networks are very simple.

- Allow all outgoing traffic

On a laptop, inbound connections should be restricted unless you want services to be accessible on your laptop by way of FWing and and
securing the services.

Outbound connections is up to you.

Thanks, John,

I do like the idea of blocking all outbound connections, and only opening ports that are required for whatever services I want to use.

For servers I often do, but for workstations, sadly I am often lazy and default to allowing all outgoing traffic.

When asked to explain why I want to block outgoing connections, I do find it difficult to justify but here are a few thoughts:

1) I like the principle of making this as hard as possible for the 'bad' guys. If they break in, they might as well not have it easy. As analogy, I can have a gate at the front of my house, then I have a dead locked door (not just a lock from the outside)
. then if I had valuables, they would be in a steel safe, and the safe would be bolted to the concrete floor. All of this will not stop the determined, but why let it be easy.

2) Staying with analogies, I like having double locked doors. If someone breaks in through the window, they have to exit the same way, and not just walk out through the front/back door, making it bit more difficult to carry everything out. In IT terms,
is someone has gained access to my server via a service level exploit, they (hopefully) only have that service's level of access. If the local network is blocked, port scanning is going to be more challenging, as would a number of other network based
attacks.

3) I believe a number of exploits, once gain a small footprint, then create a listening service to allow remote access to the system. If this cannot be achieved, then again, I have made their lives harder.

The main challenge as I see it is to ensure no 'bad' guys gain root access, but as above, until then, make their lives hard as possible to do anything by limiting and locking down anything you can while still allowing the system achieve its intended
purpose.

Any comments on the above thoughts?

George.

--
John Doe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sunday, 04-08-2024 at 18:48 Christofer C. Bell wrote:

On Sun, Aug 4, 2024 at 3:12 AM George at Clug <Clug@goproject.info> wrote:

On Sunday, 04-08-2024 at 16:15 john doe wrote:

On 8/4/24 06:48, jeremy ardley wrote:

On 4/08/2024 12:26 pm, George at Clug wrote:

If I go to the local coffee shop and connect my laptop to their WiFi, >> which incoming and now outgoing ports should I have blocked to ensure >> that no nefarious people are able to communicate with my laptop

The rules for public networks are very simple.

- Allow all outgoing traffic

On a laptop, inbound connections should be restricted unless you want services to be accessible on your laptop by way of FWing and and
securing the services.

Outbound connections is up to you.

Thanks, John,

I do like the idea of blocking all outbound connections, and only opening ports that are required for whatever services I want to use.

For servers I often do, but for workstations, sadly I am often lazy and default to allowing all outgoing traffic.

When asked to explain why I want to block outgoing connections, I do find it difficult to justify but here are a few thoughts:

1) I like the principle of making this as hard as possible for the 'bad' guys. If they break in, they might as well not have it easy. As analogy, I can have a gate at the front of my house, then I have a dead locked door (not just a lock from the outside). then if I had valuables, they would be in a steel safe, and the safe would be bolted to the concrete floor. All of this will not stop the determined, but why let it be easy.

2) Staying with analogies, I like having double locked doors. If someone breaks in through the window, they have to exit the same way, and not just walk out through the front/back door, making it bit more difficult to carry everything out. In IT terms, is someone has gained access to my server via a service level exploit, they (hopefully) only have that service's level of access. If the local network is blocked, port scanning is going to be more challenging, as would a number of other network based attacks.

3) I believe a number of exploits, once gain a small footprint, then
create a listening service to allow remote access to the system. If this cannot be achieved, then again, I have made their lives harder.

The main challenge as I see it is to ensure no 'bad' guys gain root
access, but as above, until then, make their lives hard as possible to do anything by limiting and locking down anything you can while still allowing the system achieve its intended purpose.

Any comments on the above thoughts?

George.

Outbound ports are selected randomly. If you block outbound ports, you'll block your ability to communicate with anything over the network. If you
want to "block outbound stuff" block all outbound connections to any destination, then allow outbound connections to address ranges you want to connect to, from any local port.

I should clarify: I am speaking about incoming and outgoing blocking ports for NEW connections, not RELATED,ESTABLISHED connections, so randomly selected outbound ports should only be for RELATED,ESTABLISHED connections.

I have been experimenting this afternoon based on previous efforts.

I think I finally have success (had to fix way too many typos).

Please review, and please comment if it can be improved.

I used Minecraft and DynMap as a test scenario.

I can ping or disable ping, I can run updates. I wonder what I will find sometime in the future that does not work?


========================================================

# Delete all existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X

# Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow all inbound established connections
iptables -A INPUT -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

ip6tables -A INPUT -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow all outbound established connections
iptables -A OUTPUT -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

ip6tables -A OUTPUT -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Enable incoming ssh, for remote access
iptables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 22 -j ACCEPT ip6tables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 22 -j ACCEPT


# Enable specific incoming port for Minecraft and DynMap
iptables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 25565 -j ACCEPT iptables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 8123 -j ACCEPT

ip6tables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 25565 -j ACCEPT
ip6tables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 8123 -j ACCEPT

# Enable specific outgoing ports infrastructure support (ssh, dns, apt, ntp) iptables -A OUTPUT -o enp1s0 -p udp -m state --state NEW --dport 53 -j ACCEPT iptables -A OUTPUT -o enp1s0 -p tcp -m state --state NEW -m multiport --dports 22,53,80,123,443 -j ACCEPT

ip6tables -A OUTPUT -o enp1s0 -p udp -m state --state NEW --dport 53 -j ACCEPT ip6tables -A OUTPUT -o enp1s0 -p tcp -m state --state NEW -m multiport --dports 22,53,80,123,443 -j ACCEPT


# Enable specific outgoing port for Minecraft player authentication via Mojang Authentication API (but previously enabled for apt update).
# iptables -A OUTPUT -o enp1s0 -p tcp -m state --state NEW --dport 443 -j ACCEPT
# ip6tables -A OUTPUT -o enp1s0 -p tcp -m state --state NEW --dport 443 -j ACCEPT

# If required for testing, allow ping
iptables -A INPUT -i enp1s0 -p icmp -m icmp --icmp-type echo-request -j ACCEPT ip6tables -A INPUT -i enp1s0 -p ipv6-icmp -m ipv6-icmp --icmpv6-type echo-request -j ACCEPT

iptables -A OUTPUT -o enp1s0 -p icmp -m icmp --icmp-type echo-request -j ACCEPT ip6tables -A OUTPUT -o enp1s0 -p ipv6-icmp -m ipv6-icmp --icmpv6-type echo-request -j ACCEPT

# Set default chain policies after opening ports
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

==================================================================

You'll find this is an exercise in frustration, however, in today's cloud powered Internet.

Fortunately I do not use the CLOUD. Frustration is another word for 'fun'.

It's best to follow Jeremy Ardley's advice.

It was likely good advice, but what is that old saying? ... "hold my beer".

--
Chris

"If you wish to make an apple pie from scratch, you must first invent the Universe." -- Carl Sagan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-08-04, George at Clug wrote:

I do like the idea of blocking all outbound connections, and only
opening ports that are required for whatever services I want to use.

I do the same.

For servers I often do, but for workstations, sadly I am often lazy and default to allowing all outgoing traffic.

On workstations I allow all outbound and log traffic to unauthorized
ports. So I got warned of suspicious connections.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Monday, 05-08-2024 at 17:25 Michel Verdier wrote:

On 2024-08-04, George at Clug wrote:

I think I finally have success (had to fix way too many typos).

Please review, and please comment if it can be improved.

Don't fix typo and instead rewrite your rules with nftables https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
It's so much easier and cleaner with nftables :)

Thanks for the link, Michel, it had an interesting translation commands which I put to good use.

There will be some new learning if I am going to be able to do as it suggests, "implement new nftables mechanisms such as sets, maps, verdict maps, concatenations and more".

Down below is the output of the translation commands for my Iptables commands. Interesting but again, I will need to learn what this means, it does not look self explanatory. But hopefully, like everything computer related, it is usually not that
complex, just you need to understand the new syntax and how to use it.

I am also a bit concerned about the statement "table ip nat", I do not want [e.g. need] any Network Address Translation occurring.

As with all new systems, it is best to start at the beginning with the simple, then build on that. Anyway, something to amuse myself with.

George.

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/security_guide/sec-creating_and_managing_nftables_tables_chains_and_rules#sec-Creating_an_nftables_table

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking

https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management https://wiki.nftables.org/wiki-nftables/index.php/Scripting https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management

table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" counter packets 0 bytes 0 accept
iifname "enp1s0" ct state established,related counter packets 243 bytes 27964 accept
iifname "enp1s0" ct state new tcp dport 22 counter packets 0 bytes 0 accept
iifname "enp1s0" ct state new tcp dport 25565 counter packets 0 bytes 0 accept
iifname "enp1s0" ct state new tcp dport 8123 counter packets 0 bytes 0 accept
}

chain FORWARD {
type filter hook forward priority filter; policy drop;
}

chain OUTPUT {
type filter hook output priority filter; policy drop;
oifname "lo" counter packets 0 bytes 0 accept
oifname "enp1s0" ct state established,related counter packets 189 bytes 33916 accept
oifname "enp1s0" ct state new udp dport 53 counter packets 16 bytes 984 accept
oifname "enp1s0" ct state new tcp dport { 22, 53, 80, 123, 443 } counter packets 9 bytes 540 accept
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}

chain INPUT {
type nat hook input priority 100; policy accept;
}

chain OUTPUT {
type nat hook output priority -100; policy accept;
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
}

chain INPUT {
type filter hook input priority mangle; policy accept;
}

chain FORWARD {
type filter hook forward priority mangle; policy accept;
}

chain OUTPUT {
type route hook output priority mangle; policy accept;
}

chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
}

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-08-05, George at Clug wrote:

Down below is the output of the translation commands for my Iptables commands. Interesting but again, I will need to learn what this means,
it does not look self explanatory. But hopefully, like everything
computer related, it is usually not that complex, just you need to
understand the new syntax and how to use it.

I am also a bit concerned about the statement "table ip nat", I do not
want [e.g. need] any Network Address Translation occurring.

Simply remove table ip nat and table ip mangle as they are empty and you
don't use them.

table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" counter packets 0 bytes 0 accept
iifname "enp1s0" ct state established,related counter packets 243 bytes 27964 accept
iifname "enp1s0" ct state new tcp dport 22 counter packets 0 bytes 0 accept
iifname "enp1s0" ct state new tcp dport 25565 counter packets 0 bytes 0 accept
iifname "enp1s0" ct state new tcp dport 8123 counter packets 0 bytes 0 accept
}

Remove "packets nnn bytes nnn", syntax is:
iifname lo counter accept
The action "counter" will count packets matching the rule. If you do the
shell command:
nft list ruleset
the line will be listed with the packets and bytes counters.
Also you don't need to test iifname "enp1s0" if you don't have multiple interfaces or don't want to differenciate them.
Only loopback (lo) is to be tested.

chain OUTPUT {
type filter hook output priority filter; policy drop;
oifname "lo" counter packets 0 bytes 0 accept
oifname "enp1s0" ct state established,related counter packets 189 bytes 33916 accept
oifname "enp1s0" ct state new udp dport 53 counter packets 16 bytes 984 accept
oifname "enp1s0" ct state new tcp dport { 22, 53, 80, 123, 443 } counter packets 9 bytes 540 accept
}

Same as for input don't test oifname "enp1s0" if not needed.

So you drop packets not accepted. Here for workstation I add a last rule
like this one:
log level warn prefix "[FW accept output] " counter accept
This will log a warning but still accept the packet out.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 8/5/24 12:50, George at Clug wrote:

On Monday, 05-08-2024 at 17:25 Michel Verdier wrote:

On 2024-08-04, George at Clug wrote:

I think I finally have success (had to fix way too many typos).

Please review, and please comment if it can be improved.

Don't fix typo and instead rewrite your rules with nftables
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
It's so much easier and cleaner with nftables :)

Thanks for the link, Michel, it had an interesting translation commands which I put to good use.

There will be some new learning if I am going to be able to do as it suggests, "implement new nftables mechanisms such as sets, maps, verdict maps, concatenations and more".

Down below is the output of the translation commands for my Iptables commands. Interesting but again, I will need to learn what this means, it does not look self explanatory. But hopefully, like everything computer related, it is usually not that

complex, just you need to understand the new syntax and how to use it.


YOu realy need to be intimate with nftables, you might want to consider
a frontend to nftables.

--
John Doe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Aug 04, 2024, George at Clug wrote:

On Sunday, 04-08-2024 at 16:15 john doe wrote:

On 8/4/24 06:48, jeremy ardley wrote:

On 4/08/2024 12:26 pm, George at Clug wrote:

If I go to the local coffee shop and connect my laptop to their WiFi,
which incoming and now outgoing ports should I have blocked to ensure
that no nefarious people are able to communicate with my laptop

The rules for public networks are very simple.

- Allow all outgoing traffic

On a laptop, inbound connections should be restricted unless you want services to be accessible on your laptop by way of FWing and and
securing the services.

Outbound connections is up to you.

Thanks, John,

I do like the idea of blocking all outbound connections, and only
opening ports that are required for whatever services I want to use.

For servers I often do, but for workstations, sadly I am often lazy
and default to allowing all outgoing traffic.

It's perfectly fine for a server or other installation that's setup to
do "one thing" -- but the idea just falls over when you want to do
"generic things" on the machine.

There's just too much out there that's running behind AWS / Cloudflare /
etc. that you can't just block them; likewise, new protocols and the
like (which, yes, are focused to "the web", but details) will just fail
if you only allow certain ports to be reached.

As for the (snipped) analogies you made -- they more addressed the ideas
of 'security in depth' as a general concept, rather than addressed
"outbound firewalls" at all.



--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmaw00IACgkQbWVw5Uzn KGBhhw/9Ensoff75cv13poDh5hBqKrzLHZGwJrJDbuafNY4aBER36LxbQjxzFtED RdmwUI6Q96H9YjBpm/BntUElfymisQ2Tjry9bVEKgRGBu3+bDeGgqpsRdk4E2yzu vLKa/eGy9fIPDB2yQ22yRQrv9bGeIx8NEKzagCmAP1V5ICbkMPBYOnIlitZtQBOK XnxX/Coagh5lskvNK5dUd4BtAQT81uY15KGeYAAP26cfx12V0vWTgEgHeRgI+cnC /G7V+Lzm+7d5ambADfMWlesOsgq5XNVG4DXHPJUef12iJ76D7S00mJKUjoOT50EI iNxEdraPDZPcUMAtraC85PRlZKIHq+KgRw9DIhdFdoT9qy5YGd7sogmIhABFtefZ z8yvpECSrU/hn6yRArgbVLI5D6hTBbF9H8nwHb88BrPH2lN9eXepBKxIGLwpKgn8 p7TygtmT7Co0iAk0GkXUW2g+i0d4d72xsJRyNPhx7YClW25QJwrv3k51JcMUobse Vu4A/zZDnbrE7xwCXzbEFRgPziJ5ekenDMMdctv9MnOJw/+4q3zjwM50DDWU4IIA uOquj7Kj6QLUP5G/n8yG53M1tiJplrK1B/DAobn0c5nbvFSmMuZkzu0mxz8i5kZ2 uzj6wDtIJFoQR2078IQ46C/HMFYIWG1Q2S8ZZek1MV0sS6Ydol0=
=ld3H
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

On Monday, 05-08-2024 at 23:27 Dan Purgert wrote:

On Aug 04, 2024, George at Clug wrote:

On Sunday, 04-08-2024 at 16:15 john doe wrote:

On 8/4/24 06:48, jeremy ardley wrote:

On 4/08/2024 12:26 pm, George at Clug wrote:

If I go to the local coffee shop and connect my laptop to their WiFi, >> which incoming and now outgoing ports should I have blocked to ensure >> that no nefarious people are able to communicate with my laptop

The rules for public networks are very simple.

- Allow all outgoing traffic

On a laptop, inbound connections should be restricted unless you want services to be accessible on your laptop by way of FWing and and
securing the services.

Outbound connections is up to you.

Thanks, John,

I do like the idea of blocking all outbound connections, and only
opening ports that are required for whatever services I want to use.

For servers I often do, but for workstations, sadly I am often lazy
and default to allowing all outgoing traffic.

It's perfectly fine for a server or other installation that's setup to
do "one thing" -- but the idea just falls over when you want to do
"generic things" on the machine.

"server that's setup to do "one thing" - this is my use case.

There's just too much out there that's running behind AWS / Cloudflare /
etc. that you can't just block them; likewise, new protocols and the
like (which, yes, are focused to "the web", but details) will just fail
if you only allow certain ports to be reached.

I do not use AWS / Cloudflare / etc, so I am not sure what you mean by "you can't just block them; likewise, new protocols and the like (which, yes, are focused to "the web", but details) will just fail if you only allow certain ports to be reached."

The whole idea of blocking ports other that the ports required for the services being hosted by the server, it to have all other ports fail to be reached.

Sorry, but I do not understand what it is you are concerned about? I feel there is something I may have missed, that could be important.

As for the (snipped) analogies you made -- they more addressed the ideas
of 'security in depth' as a general concept, rather than addressed
"outbound firewalls" at all.

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Monday, 05-08-2024 at 22:25 john doe wrote:

On 8/5/24 12:50, George at Clug wrote:

On Monday, 05-08-2024 at 17:25 Michel Verdier wrote:

On 2024-08-04, George at Clug wrote:

I think I finally have success (had to fix way too many typos).

Please review, and please comment if it can be improved.

Don't fix typo and instead rewrite your rules with nftables
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
It's so much easier and cleaner with nftables :)

Thanks for the link, Michel, it had an interesting translation commands which I put to good use.

There will be some new learning if I am going to be able to do as it suggests, "implement new nftables mechanisms such as sets, maps, verdict maps, concatenations and more".

Down below is the output of the translation commands for my Iptables commands. Interesting but again, I will need to learn what this means, it does not look self explanatory. But hopefully, like everything computer related, it is usually not that

complex, just you need to understand the new syntax and how to use it.

YOu realy need to be intimate with nftables, you might want to consider
a frontend to nftables.

It would be nice if systems were not so complex that they required frontends to be usable.

I am feeling a little overwhelmed by how confusing nftables is, but that is how I felt about iptables before getting to a point I could set up a simple set of rules.

I am currently in the "Initial learning curve" phase.

--
John Doe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Monday, 05-08-2024 at 21:52 Michel Verdier wrote:

On 2024-08-05, George at Clug wrote:

Down below is the output of the translation commands for my Iptables commands. Interesting but again, I will need to learn what this means,
it does not look self explanatory. But hopefully, like everything
computer related, it is usually not that complex, just you need to understand the new syntax and how to use it.

I am also a bit concerned about the statement "table ip nat", I do not
want [e.g. need] any Network Address Translation occurring.

Simply remove table ip nat and table ip mangle as they are empty and you don't use them.

Thanks.

table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" counter packets 0 bytes 0 accept
iifname "enp1s0" ct state established,related counter packets 243 bytes 27964 accept
iifname "enp1s0" ct state new tcp dport 22 counter packets 0 bytes 0 accept
iifname "enp1s0" ct state new tcp dport 25565 counter packets 0 bytes 0 accept
iifname "enp1s0" ct state new tcp dport 8123 counter packets 0 bytes 0 accept
}

Remove "packets nnn bytes nnn", syntax is:
iifname lo counter accept
The action "counter" will count packets matching the rule. If you do the shell command:
nft list ruleset
the line will be listed with the packets and bytes counters.
Also you don't need to test iifname "enp1s0" if you don't have multiple interfaces or don't want to differenciate them.
Only loopback (lo) is to be tested.

chain OUTPUT {
type filter hook output priority filter; policy drop;
oifname "lo" counter packets 0 bytes 0 accept
oifname "enp1s0" ct state established,related counter packets 189 bytes 33916 accept
oifname "enp1s0" ct state new udp dport 53 counter packets 16 bytes 984 accept
oifname "enp1s0" ct state new tcp dport { 22, 53, 80, 123, 443 } counter packets 9 bytes 540 accept
}

Same as for input don't test oifname "enp1s0" if not needed.

So you drop packets not accepted. Here for workstation I add a last rule
like this one:
log level warn prefix "[FW accept output] " counter accept
This will log a warning but still accept the packet out.

I would like to specify the interface, as on another interface, and have a different set of rules for the other interface.

I do not think I need the counter to be counting packets, so for now I will remove the statement for now.

To disable port forwarding would this be a better method?

# echo 0 > /proc/sys/net/ipv4/ip_forward
# cat /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


After sleep, tomorrow I would like to test this out:

===============================
# nano /etc/nftables.conf

flush ruleset

#!/usr/sbin/nft -f

flush ruleset

table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept
iifname "enp1s0" ct state established,related accept
iifname "enp1s0" ct state new tcp dport ssh accept
iifname "enp1s0" ct state new tcp dport 25565 accept
iifname "enp1s0" ct state new tcp dport 8123 accept
}

chain FORWARD {
type filter hook forward priority filter; policy drop;
}

chain OUTPUT {
type filter hook output priority filter; policy drop;
oifname "lo" accept
oifname "enp1s0" ct state established,related accept
oifname "enp1s0" ct state new udp dport dns accept
oifname "enp1s0" ct state new tcp dport { ssh, dns, http, ntp, https } accept
}
}

# systemctl restart nftables.service

====================================

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 06 Aug 2024 01:12:08 +1000
George at Clug <Clug@goproject.info> wrote:

It would be nice if systems were not so complex that they required
frontends to be usable.

Perhaps it would be nice. But that's not the way of the world. I wrote
6502 assembly code and hand-assembled it way back when. I was very glad
to get my hands on an assembler and a computer with enough ram to run
it. Hiding complexity is a good thing.

I am feeling a little overwhelmed by how confusing nftables is, but
that is how I felt about iptables before getting to a point I could
set up a simple set of rules.

I'm lazy. I use a front end precisely so I don't have to learn nftables
in all its complexity. I suggest you look at firewalld and its two
front ends, firewalld-config (GUI) and firewall-cmd (command line). As
an extra added bonus, it integrates nicely with Network Manager.

--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tuesday, 06-08-2024 at 04:12 Charles Curley wrote:

On Tue, 06 Aug 2024 01:12:08 +1000
George at Clug <Clug@goproject.info> wrote:

It would be nice if systems were not so complex that they required frontends to be usable.

Perhaps it would be nice. But that's not the way of the world. I wrote
6502 assembly code and hand-assembled it way back when. I was very glad
to get my hands on an assembler and a computer with enough ram to run
it. Hiding complexity is a good thing.

I am feeling a little overwhelmed by how confusing nftables is, but
that is how I felt about iptables before getting to a point I could
set up a simple set of rules.

I'm lazy. I use a front end precisely so I don't have to learn nftables
in all its complexity. I suggest you look at firewalld and its two
front ends, firewalld-config (GUI) and firewall-cmd (command line). As
an extra added bonus, it integrates nicely with Network Manager.

This morning, after thinking on these things I realise I am wrong.

I am showing both my ignorance and my stupidity.

"Times have changed", "That was then, this is now".

While I find it difficult to let go, I do need to learn to use firewalld and make use of firewall-cmd, you are correct.

For example, I have noticed, web pages are no longer code running from a single server (eg. local html, php code), but a litany of libraries sourced life from other sites on the Internet.

(I do recall being taught programming using machine code, once I reached an environment that used assembler, I only used machine code for debugging.
At that time I was also introduced to programming using BASIC via punch cards. I am not going to give up using IDEs and go back to those days, so I should apply the same logic to firewalld)

--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 06 Aug 2024 09:44:32 +1000
George at Clug <Clug@goproject.info> wrote:

This morning, after thinking on these things I realise I am wrong.

I am showing both my ignorance and my stupidity.

"Times have changed", "That was then, this is now".

My compliments on your willingness to do so. It is not easy to do.

While I find it difficult to let go, I do need to learn to use
firewalld and make use of firewall-cmd, you are correct.

It is indeed difficult to let go and move on to other things. Doing so
is one way we old farts can show that we're still alive.

--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Monday, 05-08-2024 at 23:27 Dan Purgert wrote:

On Aug 04, 2024, George at Clug wrote:

On Sunday, 04-08-2024 at 16:15 john doe wrote:

On 8/4/24 06:48, jeremy ardley wrote:

On 4/08/2024 12:26 pm, George at Clug wrote:

If I go to the local coffee shop and connect my laptop to their WiFi, >> which incoming and now outgoing ports should I have blocked to ensure >> that no nefarious people are able to communicate with my laptop

The rules for public networks are very simple.

- Allow all outgoing traffic

On a laptop, inbound connections should be restricted unless you want services to be accessible on your laptop by way of FWing and and
securing the services.

Outbound connections is up to you.

Thanks, John,

I do like the idea of blocking all outbound connections, and only
opening ports that are required for whatever services I want to use.

For servers I often do, but for workstations, sadly I am often lazy
and default to allowing all outgoing traffic.

It's perfectly fine for a server or other installation that's setup to
do "one thing" -- but the idea just falls over when you want to do
"generic things" on the machine.

There's just too much out there that's running behind AWS / Cloudflare /
etc. that you can't just block them; likewise, new protocols and the
like (which, yes, are focused to "the web", but details) will just fail
if you only allow certain ports to be reached.

Dan, I would like to apologise. I have been 'caught in my thinking', about past days when I was using quite simple, in-house hosted, systems where you had full control, and responsibility for all security implementations.

I have not used the services of AWS or Cloudflare. I have only once used a CLOUD hosted VM (OpenStack) and it was not much different to using our in-house servers.

Now I just tinker at home, hence I am not in the mind set that comes with using large commercial services like Cloudflare or AWS.

Is it possible to be aware of all the ports required by systems/services like "AWS / Cloudflare / etc", such that it is possible to ensure any firewalls that are put in place do not inhibit the features of these systems?

I am wondering how much direct control of security one looses when using third party services like Cloudflare.

George.

As for the (snipped) analogies you made -- they more addressed the ideas
of 'security in depth' as a general concept, rather than addressed
"outbound firewalls" at all.

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-08-06, George at Clug wrote:

To disable port forwarding would this be a better method?

"ceinture et bretelles" (I let you translate)

# echo 0 > /proc/sys/net/ipv4/ip_forward
# cat /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host #net.ipv6.conf.all.forwarding=1

Put in a file in /etc/sysctl.d with .conf
net.ipv4.ip_forward = 0
as /etc/sysctl.conf is a package conf and raise some problems as said in
this list

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 8/6/24 01:47, George at Clug wrote:

On Monday, 05-08-2024 at 22:25 john doe wrote:

On 8/5/24 12:50, George at Clug wrote:

On Monday, 05-08-2024 at 17:25 Michel Verdier wrote:

On 2024-08-04, George at Clug wrote:

YOu realy need to be intimate with nftables, you might want to consider
a frontend to nftables.

It is hard to give up on iptables, but you are correct, in both your points. Thank you.

When I understand that I'm asking to much questions that are unrelated
to the purpose of a mailing list, I take that as an opportunity to
regroup and see what I can do about it.

Mailing lists eticket suggests to keep the traffic to a minimum and to
send privately things that are not of the interest of everyone.
This also allows to have an archive that is as relevent as possible and
on topick as possible!

Firewalld, UFW and Foomuuri are all options you might want to play with.

--
John Doe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 06 Aug 2024 09:44:32 +1000
George at Clug <Clug@goproject.info> wrote:

(I do recall being taught programming using machine code, once I
reached an environment that used assembler, I only used machine code
for debugging. At that time I was also introduced to programming
using BASIC via punch cards. I am not going to give up using IDEs and
go back to those days, so I should apply the same logic to firewalld)

The issue with GUI (or simple script) frontends to open-ended direct configuration is that in order to achieve simplicity (the whole purpose
of a frontend) then it is necessary to implement only a subset of what
the underlying system can do.

In programming terms, assembler maps pretty well one to one to machine
code, whereas frontend code/forms do not map to low-level commands,
since the low-level command structure generally has a huge structure.

Can all valid iptables commands be listed? Of course, but the list
would be exceptionally long.

And yes, I once thought I'd start using a firewall frontend, but fell
almost at the first hurdle, unable to implement a relatively simple
iptables objective. That was years ago, and I'm sure things have
improved, but only by increasing the complexity and versatility of the frontend, which is something opposed to the concept of the frontend.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)