Re: Port 80 Open

----- Original Message -----
From: Telly Williams <twilliams001@elp.rr.com>
Date: Saturday, October 27, 2007 6:43 pm
Subject: Port 80 Open
To: Debian Firewall <debian-firewall@lists.debian.org>

> Hi,
>
> Maybe I'm not understanding something here.  I ran a check
> on my
> ports to see what's wrong with it.  Only port 80 comes up as
> open, and, apparently, is a security violation.
>
> That's chaffing me, because from what I understand, without port
> i80 open I'm not able to get on the WWW, so even if you ARE NOT
> running a web server, it still needs to be "open".
>
> Anything that comes into port 80 on my host automatically hits a
> chain checking the tcp packets for syn and state
> ESTABLISHED,RELATED, the packets being dropped if they don't
> have those.  How can this still be a security violation?
>
> Also, I'm running in stealth (not allowing icmp echo replies or
> requests).  Some of my ports (i.e., 25 and 443) are coming
> up as
> closed.  Why are these ports showing up as closed at all?
>

If you're not running a web server, you do not need to have port 80 open inbound at all.  You just need to allow outbound packets destined for port 80 on the remote web server.  You also need to allow inbound ESTABLISHED/RELATED packets so the remote web server can send data back.

Basically, when you connect to a remote web server, your machine picks a random high-number port (usually >30000) and sends packets out that port.  The destination of these packets is port 80 on the remote server.  When the remote server replies, it sends packets out from its port 80, back to the same random port on your machine.  If you set up LOG rules in iptables or use a packet capture program like Wireshark, you can see what I mean.

    - Dave