advantages in closing a port where no services are running

Are there advantages in closing a port where no services are running?

What do I gain in terminating a connection at iptables level instead of what does it next (I guess OS).


I would go the other route and block all ports. Open them as you need the service. Doing this has the advantage that if you unknowingly start a service, your machine is not vulnerable.


The advantage is that you can safely use the port. Many programs will use a pseudo-random port, or can be programmed to use a port. In either case, if you don't close the port, they may be accessible from other hosts.

As Francois noted, a closed policy is safer. Begin with all ports closed and open those you need in the appropriate direction. It is common, to require services for which you don't have or want a local server. DNS is usually required, but you don't need to allow incoming requests. Several ICMP types (3,4,11) are required for proper network functionality, but others may be safely blocked. It is common to enable echo (8) selectively, which should enable incoming echo-reply (0) messages if related packets are accepted.

Most firewall builders such as Shorewall, will allow the these ports in their example or default rule sets.