Fedora Firewall – Default Allowed Ports on Workstation and Server

fedorafirewallfirewalld

What incoming TCP and UDP connections are permitted, by the default firewall policy of Fedora Workstation, and Fedora Server?

I am interested in the current version, Fedora 28.

Best Answer

Look at the default zone definitions in /usr/lib/firewalld/zones/, and cross-reference them against /usr/lib/firewalld/services/.

FedoraWorkstation.xml

Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.

  <service name="dhcpv6-client"/> <!-- udp 546 from fe80::/64 only -->
  <service name="ssh"/>           <!-- tcp 22 -->
  <service name="samba-client"/>  <!-- udp 137,138, plus nf_conntrack_netbios_ns -->
  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>

FedoraServer.xml

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

  <service name="ssh"/>           <!-- tcp 22 -->
  <service name="dhcpv6-client"/> <!-- udp 546 from fe80::/64 only -->
  <service name="cockpit"/>       <!-- tcp 9090 -->

("cockpit" is implemented as a web server running on TCP port 9090. It uses HTTPS and password authentication. There is an alternative option to use SSH and SSH key authentication as well).

Does it allow MDNS / avahi?

This is slightly confusing when you look at the package. The package includes a patch to enable MDNS by default, but it does not touch either of these files. Nevertheless, MDNS will be allowed on Fedora Workstation. The standard MDNS port is 5353, which is in the "high ports" that Fedora Workstation allows (1025-65535).

The MDNS patch pre-dates FedoraWorkstation.xml and FedoraServer.xml in Fedora 21 (2014-12-09). This was the first release of Fedora to be split into Workstation and Server editions. In Fedora 20, the default zone definition was public.xml and it allowed MDNS.

Fedora 21 and its Workstation firewall -- LWN.net, 2014-12-17

https://src.fedoraproject.org/rpms/firewalld/tree/f28

Date: Mon, 6 Aug 2012 10:01:09 +0200
Subject: [PATCH] Make MDNS work in all but the most restrictive zones

MDNS is a discovery protocol, and much like DNS or DHCP should
be available for the network to function as expected.

Avahi (the main MDNS) implementation has taken steps to make sure
no private information is published by default.

See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault

Related Solutions

Linux – How to listen to all ports (UDP and TCP) or make them all appear open in Debian

tcpdump usually comes as standard on Linux distros. It will log all packets visible at the server note that

you probably want to set it running with a filter for your client IP to cut down on the noise
I think this includes packets not accepted by iptables on the local machine - but you might want to test this

e.g.

/usr/sbin/tcpdump -i eth0 -c 3000000 -np host client.example.com >tcp.log

Then just run nmap from your client.

Fedora – Firewall: why no route to host

There are generally two options for blocking traffic when it comes to iptables/firewalld security: DROP the packet or REJECT it.

REJECT results in an icmp-host-prohibited ICMP packet being sent back to the client informing them that the end host refused the connection. This is usually described as "Connection Refused" by your application.

DROP results in the end host not sending anything back in response to the TCP connection request. Since nothing is sent back, this appears to the client as being identical to the packets just being lost or dropped by some router. Since clients will usually make multiple attempts to establish a connection it assumes there's something wrong with the routing on the network (which is technically true in this case) and reports back with the problem being with routing the packet over the network.

So it would appear that your firewall is just dropping packets while not opting to send the ICMP packet informing the other node.