Configuration of firewall - TCP 1025-65535

arne · January 21, 2021, 4:06am

Hello! Im running Virtualmin at Centos 7.

Installation now works quite perfect, but I would like to make some improvements of the firewall configuration to improve security. My philosofy is that all ports that does not have to be open should be closed.

I can see from Virtualmin default configuration that TCP 1025-65535 is left open. I dont understand the reason for that, but I would like to ask the question “can I close it” before I do it.

Normally a Linux should work as a “statefull Instpection firewall” so it will keep track of and open for all return-traffic. Then it should be no problem to take away the rule that open for TCP 1025-65535. If on the other hand the firewall for some reason should be configured as a “static firewall” closing TCP 1025-65530 i guess closing these ports might lead to “a closed firewall” in such a way that I will have to reinstall the server. (Or at least some problems.)

I guess that the firewall configuration done by Virtualmin still maintain the “statefull inspection firewall prinsiple” so it is safe to take away the rule that open for TCP 1025-65535 ?

Edit:

I looked around in the file system and found out that it is firewald that do the job. I also made a listing of firewalls rules: iptables -L this shows this line:
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED

This should indicate that there should be no problem to take away the TCP 1025-65535 rule, I guess.

Also some linkes for later reference:

[https://www.supportsages.com/everything-you-need-to-know-about-firewalld/]

[https://www.programmersought.com/article/26282057504/]

Edit 2:

I used the Virtualmin default configuration tool and closed all portst exept for TCP 80, TCP 443 and TCP 10000-10100. Seems to be working OK.

I dont understand why the default configuration of the firewall open a range of 100 ports. Shouldnt only TCP 10000 be OK for loging and management of Virtualmin?

Now I dont like to “just try” because if Im locked out of Virtualmin I will have no other way in, and I will have to reinstall all the server and all the domains.

Joe · January 21, 2021, 5:57pm

Don’t you reckon we know which ports Webmin needs? If you will be using any RPC features in Webmin (Webmin communicating to other Webmin instances), you need the other ports.

arne · January 21, 2021, 6:18pm

I have approx 3-4 days experience with Virtualmin and I think I dont know which ports Virtualmin uses. Thanks for answer

By the way I think the Virtualmin installation on Centos 7 works very well, and Im just afraid to do anything “wrong” so it will stop working.

Actually it is not good, it is fantastic, and bether than some of the commercial server mangement systems.

system · March 22, 2021, 6:18pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.