advantages in closing a port where no services are running

networking linux firewall iptables port

Are there advantages in closing a port where no services are running?

What do I gain in terminating a connection at iptables level instead of what does it next (I guess OS).


I would go the other route and block all ports. Open them as you need the service. Doing this has the advantage that if you unknowingly start a service, your machine is not vulnerable.


The advantage is that you can safely use the port. Many programs will use a pseudo-random port, or can be programmed to use a port. In either case, if you don't close the port, they may be accessible from other hosts.

As Francois noted, a closed policy is safer. Begin with all ports closed and open those you need in the appropriate direction. It is common, to require services for which you don't have or want a local server. DNS is usually required, but you don't need to allow incoming requests. Several ICMP types (3,4,11) are required for proper network functionality, but others may be safely blocked. It is common to enable echo (8) selectively, which should enable incoming echo-reply (0) messages if related packets are accepted.

Most firewall builders such as Shorewall, will allow the these ports in their example or default rule sets.

Related

Detecting AD Site options using PowerShell
Error code 80244019 while installing Windows Update
How to run node.js app on port 80? Are processes blocking my port?
Execute copy and set only if something changed
HTTPD listening in IPv6, according netstat, but reacheable in IPv4
Connected to openvpn, but no Internet connection
How does debian/ubuntu knows a package has a updated version
Unknown “securenat” device showing up inside my network
Create virtual network interface in Ubuntu 16.04
VirtualBox - Linux Mint not starting - VT-x is not available
Images (e.g. with Clonezilla) of Windows and Linux on a UEFI computer
Broadcast DNS name visible to PC but not phone