2

I am new to Linux and Ubuntu. I googled and read some articles stating that all ports are closed until they are opened manually by the user. Is it correct?

And what do you mean by "listening on a port" and "a port is established" in simple terms?

guntbert
  • 13,134
n00b
  • 1,897

2 Answers2

5

I googled and read some articles stating that all ports are closed until they are opened manually by the user. Is it correct?

Depends on what you see as "user". The user usually does not say, "hey please open port X". System services (such as CUPS for printing, UDP/TCP port 631) open a port for listening. Other examples include a HTTP server (TCP port 80), a DNS server (UDP port 53) and SMTP (mail) server (TCP port 25).

So far I have only mentioned ports, but a program must also specify an address to start listening on. It is important to understand that programs can listen locally (IPv4 address 127.0.0.1, IPv6 address ::1) or on an address such that the service becomes accessible by other devices on your nwtwork (using your network address, e.g. 10.0.1.4). There is also a "wildcard address" (0.0.0.0 for IPv4, :: for IPv6) which is also accessible remotely.

Ports are indeed "closed" until a programs starts listening on it.

The sudo netstat -tulpn command can be used to show listening TCP/UDP programs. On a default Ubuntu desktop installation, this shows:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2254/dnsmasq    
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1346/cupsd      
tcp6       0      0 ::1:631                 :::*                    LISTEN      1346/cupsd      
udp        0      0 0.0.0.0:59296           0.0.0.0:*                           1152/avahi-daemon: 
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2254/dnsmasq    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1684/dhclient   
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1152/avahi-daemon: 
udp6       0      0 :::5353                 :::*                                1152/avahi-daemon: 
udp6       0      0 :::53537                :::*                                1152/avahi-daemon:

Here, you can see that avahi-daemon is accessible over the network on UDP ports 59296, 5353 and 53537. The latter two are standard for avahi-daemon, the first is a random address that is probably communicated using the other two ports. This daemon is used for "network discovery" and allows you to do things like "file sharing". There is also a DHCP client listening globally on port UDP 68.

Some services only listen locally and are not accessible over the network. These are the DNS cache service dnsmasq (UDP port 53) and the printer service CUPS (TCP 631).

And what do you mean by "listening on a port" and "a port is established" in simple terms?

There is no notion of an "established port", only an "established connection". A port that is open for listening is backed up by a program which is interested in data flowing in that port. These ports are typically static, HTTP runs on TCP port 80, DNS on UDP port 53. These standards allow other network devices to find your service quickly.

A TCP connection is established when both network devices agree that they want to talk to each other.

Lekensteyn
  • 174,277
  • @ Lekensteyn: Thanks for your explanation. I plan on installing OpenVPN and route all network traffic through the VPN tunnel. What do you suggest that I should do? – n00b Mar 18 '13 at 13:31
  • @n00b In order to use OpenVPN, you do not need to open any ports as a client. For the server, open UDP port 1194. See How do I setup OpenVPN so I can securely use the internet from an unsecured hotspot? – Lekensteyn Mar 18 '13 at 15:31
  • @ Lekensteyn: If I do not need to open any ports as a client, how do the packets of data travel in and out of my computer? My main concern is to terminate any network traffic as soon as my VPN connection drops due to whatever reason. – n00b Mar 18 '13 at 17:53
  • @ Lekensteyn: I read the writeup referenced in "How do I setup OpenVPN so I can securely....." but it doesn't answer my question on how to prevent network traffic from going out of my computer when the VPN connection drops. By the way I use a commercial VPN service provider. I am only a customer and interested in the client-side of OpenVPN connection. – n00b Mar 18 '13 at 17:56
  • 1
    @n00b So you want to firewall your machine such that no traffic can leave the machine, except for VPN traffic? Please open a new question, this is unrelated stuff. – Lekensteyn Mar 18 '13 at 17:58
  • @ Lekensteyn: I did post a few days ago and it was deleted by the moderator. – n00b Mar 19 '13 at 04:44
3

That statement is not correct. True is, that very few services are installed by default. And where no service is waiting to be contacted/asked (Thats what "listening" means) there is no need to close that port.

But by default every installed service is running and no firewall rules are set to prevent anyone from contacting the service.

As for the additional question: "ports" are like phone extension numbers, they designate one program talking via this number like a phone extension number designates a person or one department within an enterprise.

guntbert
  • 13,134
  • @ guntbert: OpenVPN is a service, am I right? When I install OpenVPN, how do I route network traffic through the tunnel such that when the VPN connection drops, network traffic terminates as well. – n00b Mar 18 '13 at 13:33
  • 1
    @n00b please ask a new question for that (remember: one post - one question :-)) – guntbert Mar 18 '13 at 13:45