So my questions is: is there some log I can review if I see connections time out, to see which port a specific program/protocol is trying to use?
You can create a rule in iptables to log anything at the end of the OUTPUT chain:
iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix='[BLOCKED OUTPUT] '
Using the conntrack/ctstate criteria reduces the amount of logging, although at the end of the chain you should only be seeing the initial (blocked) packet anyway (assuming you have a RELATED,ESTABLISHED rule earlier in OUTPUT chain)
]]>Thanks everybody. I opened port 80 and configured Pacman to use http links.
Another question: I am indeed closing off incoming AND outgoing ports, and I am in the process of checking which are really needed and enabling them by hand. It's a bit of a hassle, but it allows me to learn which programs require specific ports to be used, and that is quite interesting. However, I find myself going through quite some hurdles to find the right ports and protocol (TCP or UDP). So my questions is: is there some log I can review if I see connections time out, to see which port a specific program/protocol is trying to use?
You can set up iptables to log stuff. For example, you can have it log stuff it rejects. Be warned that it can generate a lot of messages. The BSD firewall I used enabled me to log firewall messages to a specific file and keep it out of the general system logs but I've not found a good way to isolate them with iptables. That is, I can get them sent to a specific log file but everything still shows up elsewhere as well.
The wiki explains how to set up logging else I would not have figured out how to do it .
Note that if you are using a laptop you will either want to keep more stuff open or remember to check your firewall if, when you move locations, stuff doesn't seem to work as you expect!
]]>I'm not explaining that very well so ignore it if it is just confusing.
No I think this is a very good explanation. Thanks. I think because I use the stateful firewall, I thought that this is just the standard way it must work.
]]>I'm not explaining that very well so ignore it if it is just confusing.
The rule which allows outgoing connections is:
iptables -P OUTPUT ACCEPT
The rule which allows incoming connections which are correctly tagged is:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
At least, I think so. I don't find iptables very intuitive. (I prefer the BSD firewall although I've now forgotten the name. In that case I can kind of see what I'm doing. With iptables I'm never sure whether I've really blocked something or just let everything in!)
Of course, sometimes you then also allow particular incoming connections according to additional criteria. For example, I have to open two ports in order for a networked printer on my home LAN to work.
]]>Another question: I am indeed closing off incoming AND outgoing ports, and I am in the process of checking which are really needed and enabling them by hand. It's a bit of a hassle, but it allows me to learn which programs require specific ports to be used, and that is quite interesting. However, I find myself going through quite some hurdles to find the right ports and protocol (TCP or UDP). So my questions is: is there some log I can review if I see connections time out, to see which port a specific program/protocol is trying to use?
]]>My understanding of how networking works is that if you are establishing a connection from your machine to somewhere else, the firwall should not be in the way. You only need to open ports when you offer a service taht you would like outside machines to be able to connect to. For instance, ssh runs on 22. If you were to have 22 blocked, you could still ssh to another machine, but that machine could not ssh to your blocked port 22.
A firewall absolutely can interfere with outgoing connections, many companies will block outgoing connections on non-standard ports, making it necessary to set up tunnels if you really want to get something out (doing so is probably not allowed).
Most people will allow all outgoing connections on their own machines though, as it is mostly fine to do so and only limit incoming connections. Although one could limit outgoing connections as well, for instance to make it harder for malware to get out (many windows firewalls do this on a per-application basis).
]]>On my systems i use the Simple_Stateful_Firewall .
The only port i have open for incoming traffic is used for torrents, all others are closed.
Am I right about this?
BTW, fukawi2's answer is indeed right that it runs on the standard http or ftp port depending on what mirror you choose (I find that http mirrors tend to be faster from my location).
]]>