You are not logged in.

#1 2012-12-30 06:17:05

george55
Member
Registered: 2011-08-10
Posts: 68

[SOLVED] Port used by Pacman

I'm closing off all ports on my systems, and I want to selectively open only those ports that are actually needed. My first issue is with pacman; I can not find which port is used by Pacman. It appears pacman-keygen uses port 11371 (see: https://wiki.archlinux.org/index.php/Pacman-key), but this does not appear to be the right port for Pacman itself. Anybody any idea? I could not find this in the documentation either.

Last edited by george55 (2012-12-30 21:20:45)

Offline

#2 2012-12-30 06:23:32

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [SOLVED] Port used by Pacman

Depends on the mirror you use; either HTTP (80) or FTP (21)

Offline

#3 2012-12-30 07:11:14

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [SOLVED] Port used by Pacman

My understanding of how networking works is that if you are establishing a connection from your machine to somewhere else, the firwall should not be in the way.  You only need to open ports when you offer a service taht you would like outside machines to be able to connect to.  For instance, ssh runs on 22.  If you were to have 22 blocked, you could still ssh to another machine, but that machine could not ssh to your blocked port 22. 

Am I right about this?

BTW, fukawi2's answer is indeed right that it runs on the standard http or ftp port depending on what mirror you choose (I find that http mirrors tend to be faster from my location).

Offline

#4 2012-12-30 11:48:53

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: [SOLVED] Port used by Pacman

george, are you looking at incoming or outgoing ports ?

On my systems i use the Simple_Stateful_Firewall .
The only port i have open for incoming traffic is used for torrents, all others are closed.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#5 2012-12-30 16:24:35

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [SOLVED] Port used by Pacman

Like the Lone_Wolf, I used that same tutorial.  On my home server which is realy just a file server and a seed box, I have my torrent port(s) open (one for the torrents themselves, and one for the remote interface), ssh, smb,  and nfs.

Offline

#6 2012-12-30 16:33:24

Ramses de Norre
Member
From: Leuven - Belgium
Registered: 2007-03-27
Posts: 1,289

Re: [SOLVED] Port used by Pacman

WonderWoofy wrote:

My understanding of how networking works is that if you are establishing a connection from your machine to somewhere else, the firwall should not be in the way.  You only need to open ports when you offer a service taht you would like outside machines to be able to connect to.  For instance, ssh runs on 22.  If you were to have 22 blocked, you could still ssh to another machine, but that machine could not ssh to your blocked port 22.

A firewall absolutely can interfere with outgoing connections, many companies will block outgoing connections on non-standard ports, making it necessary to set up tunnels if you really want to get something out (doing so is probably not allowed).

Most people will allow all outgoing connections on their own machines though, as it is mostly fine to do so and only limit incoming connections. Although one could limit outgoing connections as well, for instance to make it harder for malware to get out (many windows firewalls do this on a per-application basis).

Offline

#7 2012-12-30 17:03:09

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [SOLVED] Port used by Pacman

Excellent!  Thanks Ramses de Norre.  That is the kind of repsonse I was looking for.  I guess my understanding was derived from a typical iptables setup using something like the Simple Stateful Firewall link above, or UFW or something.

Offline

#8 2012-12-30 19:33:19

george55
Member
Registered: 2011-08-10
Posts: 68

Re: [SOLVED] Port used by Pacman

Thanks everybody. I opened port 80 and configured Pacman to use http links.

Another question: I am indeed closing off incoming AND outgoing ports, and I am in the process of checking which are really needed and enabling them by hand. It's a bit of a hassle, but it allows me to learn which programs require specific ports to be used, and that is quite interesting. However, I find myself going through quite some hurdles to find the right ports and protocol (TCP or UDP). So my questions is: is there some log I can review if I see connections time out, to see which port a specific program/protocol is trying to use?

Offline

#9 2012-12-30 19:47:20

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [SOLVED] Port used by Pacman

Note that it is not exactly that you don't open any ports in the no-services simple stateful firewall case. You do allow machines from outside to connect to your machine. The crucial thing is that you only allow incoming connections which respond to outgoing connections. iptables keeps track of the outgoing connections you request and (in the default setup given on the wiki) allows them. It then uses that information to decide which incoming connections to allow. This is why it is "stateful" - it responds dynamically by keeping track of states.

I'm not explaining that very well so ignore it if it is just confusing.

The rule which allows outgoing connections is:

iptables -P OUTPUT ACCEPT

The rule which allows incoming connections which are correctly tagged is:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

At least, I think so. I don't find iptables very intuitive. (I prefer the BSD firewall although I've now forgotten the name. In that case I can kind of see what I'm doing. With iptables I'm never sure whether I've really blocked something or just let everything in!)

Of course, sometimes you then also allow particular incoming connections according to additional criteria. For example, I have to open two ports in order for a networked printer on my home LAN to work.

Last edited by cfr (2012-12-30 19:48:10)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#10 2012-12-30 21:16:25

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [SOLVED] Port used by Pacman

cfr wrote:

I'm not explaining that very well so ignore it if it is just confusing.

No I think this is a very good explanation.  Thanks.  I think because I use the stateful firewall, I thought that this is just the standard way it must work.

Offline

#11 2012-12-30 21:21:14

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [SOLVED] Port used by Pacman

george55 wrote:

Thanks everybody. I opened port 80 and configured Pacman to use http links.

Another question: I am indeed closing off incoming AND outgoing ports, and I am in the process of checking which are really needed and enabling them by hand. It's a bit of a hassle, but it allows me to learn which programs require specific ports to be used, and that is quite interesting. However, I find myself going through quite some hurdles to find the right ports and protocol (TCP or UDP). So my questions is: is there some log I can review if I see connections time out, to see which port a specific program/protocol is trying to use?

You can set up iptables to log stuff. For example, you can have it log stuff it rejects. Be warned that it can generate a lot of messages. The BSD firewall I used enabled me to log firewall messages to a specific file and keep it out of the general system logs but I've not found a good way to isolate them with iptables. That is, I can get them sent to a specific log file but everything still shows up elsewhere as well.

The wiki explains how to set up logging else I would not have figured out how to do it smile.

Note that if you are using a laptop you will either want to keep more stuff open or remember to check your firewall if, when you move locations, stuff doesn't seem to work as you expect!

Last edited by cfr (2012-12-30 21:23:00)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#12 2012-12-30 22:04:37

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [SOLVED] Port used by Pacman

george55 wrote:

So my questions is: is there some log I can review if I see connections time out, to see which port a specific program/protocol is trying to use?

You can create a rule in iptables to log anything at the end of the OUTPUT chain:

iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix='[BLOCKED OUTPUT] '

Using the conntrack/ctstate criteria reduces the amount of logging, although at the end of the chain you should only be seeing the initial (blocked) packet anyway (assuming you have a RELATED,ESTABLISHED rule earlier in OUTPUT chain)

Offline

#13 2012-12-30 22:42:47

george55
Member
Registered: 2011-08-10
Posts: 68

Re: [SOLVED] Port used by Pacman

Excellent, thanks!

Offline

Board footer

Powered by FluxBB