Server - Contents

The Firewall

Critical first line defensive security

revised: 19-Feb-2022

Without a firewall, there exist innumerable ports which the server has potentially to offer to interact with another device. Below is a brief outline of those ports which one chooses to remain accessible and all others closed by the firewall. While a firewall can provide other services, the instructions below focus wholly closing all but the planned for ports. For this purpose, Arno's Firewall is a good choice

a. Interfaces

The default choice is 'ppp+'. However a very common interface was 'eth0' but this is changing to a variety of labels, most often starting with the letter 'e'. To find your specific interface, do the following command:

root# ls /sys/class/net

Don't brother with the sublabels: e&&&.XXX, just use the main label 'e&&&' (e&&& being some characters/numbers) in this setup.

b. Overview of some of the most common(TCP) ports

Telnet: 23 - for communication with server - testing mail
FTP: 21 & 22 - for file uploading and downloading
Webmin: 10000 - self-explanatory
SMTP : 25 ,26 485 (SSL) & 587 (TLS) -sending mail
POP:110 & 995 (also UDP-port: 995)- receiving mail
IMAP:143, 993 & 585 as well as UDP-ports (993 &995) - online mailboxes
HTTP:80, 443 and [optional] 8443 - webpages (Openssl)
[option] Flask 5000 - commonly used for testing.

b. Setting up the Firewall: for a server providing basically a website on (TCP)port:80

Step01: Open PuTTy and as user: root; Copy and paste the following commands (after '#') in BOLD sequentially:

root# apt -y install arno-iptables-firewall

logon Filezilla
logon Filezilla
logon Filezilla
- State 'Yes' to install - for DCHP: answer "No", using the 'tab' key to choose then press the 'Return' key to continue.
- for pinging: again answer "No"
eth0 or e&&& (see interfaces above)   Note: this is the external interface.
21 22 25 26 110 465 587 995 10000 80 443 5000 *Note: these are the TCP ports to be copy-pasted
UDP: paste in 993 995
- for Multiple interfaces - leave blank
- for Internal subnets - leave blank
Choose "Yes" twice to start the firewall

Should you wish to change anytime a setting or any of the ports, issue this command:

root# dpkg-reconfigure arno-iptables-firewall
[or]sammy$ sudo dpkg-reconfigure arno-iptables-firewall // if a regular sudo-enabled user, like sammy, is logged on.

Lastly, check the status of the firewall:

root# systemctl status arno-iptables-firewall  Note: Ctl+c to exit status

If the firewall is not active

root# systemctl start arno-iptables-firewall

When active, the Arno firewall active settings can be seen in the Webmin module:[Networking]->[Linux Firewall] by clicking on the button "Revert Configuration" - true for both Webmin control pages of Linux Firewall IPv4 and IPv6.

Tip#01: Know that, unless set to start at boot-up, every time the server is rebooted, the firewall needs to be started. In Webmin: [System]->[Bootup and Shutdown]->[arno-iptables-firewall.service], one can set the firewall to start automatically with a reboot. Be sure first that it's running correctly and not locking one out!.
Tip#02: More information on this application can be found at its Git depository and at this writeup by CosmosLinux.
Server - Contents