DATE CHECKED THIS PAGE WAS VALID: 01/09/2023
Open a terminal and type:
sudo apt-get install gufw
Once installed just run 'gufw' from the terminal. Make sure you change status to on. In order to open a port just go to rules and an advanced rule opening port 22 would be something like:
Name: SSH Insert: 0 Policy: Allow Direction: In Interface: All Interfaces Protocol: TCP From: <blank> <blank> To: <blank> <22>
This opens SSH from anywhere to your PC. Obviously this is an example, you would change or add rules as appropriate for your use case.
Audit your firewall settings:
Sometimes it is useful to compare what services are running on Debian vs what you have open as ports. I will do this now on my box to show an example.
First run this command to get a list of services listening on ports on your machine:
sudo lsof -i -P -n | grep 'LISTEN\|UDP'
So here is the output:
Relevant info is this:
aragorn@Aragorn:~$ sudo lsof -i -P -n | grep 'LISTEN\|UDP' avahi-dae 1230 avahi 12u IPv4 21240 0t0 UDP *:5353 avahi-dae 1230 avahi 13u IPv6 21241 0t0 UDP *:5353 avahi-dae 1230 avahi 14u IPv4 21242 0t0 UDP *:47819 avahi-dae 1230 avahi 15u IPv6 21243 0t0 UDP *:47292 sshd 1356 root 3u IPv4 21334 0t0 TCP *:22 (LISTEN) sshd 1356 root 4u IPv6 21336 0t0 TCP *:22 (LISTEN) dnsmasq 1593 nobody 3u IPv4 29098 0t0 UDP *:67 dnsmasq 1593 nobody 5u IPv4 29101 0t0 UDP 192.168.121.1:53 dnsmasq 1593 nobody 6u IPv4 29102 0t0 TCP 192.168.121.1:53 (LISTEN) dnsmasq 1639 nobody 3u IPv4 27149 0t0 UDP *:67 dnsmasq 1639 nobody 5u IPv4 27152 0t0 UDP 192.168.122.1:53 dnsmasq 1639 nobody 6u IPv4 27153 0t0 TCP 192.168.122.1:53 (LISTEN) teamviewe 2195 root 12u IPv4 41331 0t0 TCP 127.0.0.1:5939 (LISTEN) qemu-syst 4145 libvirt-qemu 10u IPv4 47982 0t0 TCP 127.0.0.1:5900 (LISTEN) qemu-syst 4240 libvirt-qemu 10u IPv4 44892 0t0 TCP 127.0.0.1:5901 (LISTEN) gnome-rem 56014 aragorn 40u IPv6 369452 0t0 TCP *:3389 (LISTEN) cupsd 425618 root 7u IPv6 3274437 0t0 TCP [::1]:631 (LISTEN) cupsd 425618 root 8u IPv4 3274438 0t0 TCP 127.0.0.1:631 (LISTEN) cups-brow 425667 root 7u IPv4 3276300 0t0 UDP *:631 teams 886490 aragorn 68u IPv6 5213037 0t0 UDP *:50532 firefox 888388 aragorn 75u IPv4 6082652 0t0 UDP *:57711 firefox 888388 aragorn 143u IPv4 6100036 0t0 UDP *:48078 nxplayer. 1049675 aragorn 27u IPv4 5971216 0t0 TCP 127.0.0.1:52574 (LISTEN) nxclient. 1049735 aragorn 6u IPv4 5973212 0t0 TCP 127.0.0.1:48595 (LISTEN) nxclient. 1049735 aragorn 13u IPv4 5964685 0t0 UDP *:5353 nxclient. 1049735 aragorn 14u IPv4 5964686 0t0 UDP *:53446 nxclient. 1049735 aragorn 15u IPv4 5964687 0t0 UDP *:56363 nxclient. 1049735 aragorn 16u IPv4 5964688 0t0 UDP *:54367 nxclient. 1049735 aragorn 17u IPv4 5974179 0t0 UDP *:38458 nxclient. 1049735 aragorn 24u IPv4 5974180 0t0 UDP 192.168.2.12:47905->192.168.2.2:1900 aragorn@Aragorn:~$
So assuming we had no firewall setup we can determine a few things:
1) MDNS might respond on UDP 5353 and 47819/47292. I can be hard to know with UDP sometimes.
2) My box is listening on port 22 TCP for SSH connections.
3) My box has several DNS related ports open it might respond to.
4) A program 'teamviewer' is listening on 5939.
5) Two virtual machines are running and you can VNC to them on 5900 and 5901.
6) Gnome DE will accept a connection from an RDP client to view my machines screen.
7) Firefox is doing 'something'.
8) No machine player is listening on various ports (this is similar to RDP but an alternative method).
So there is quite a lot we found. We should ensure that anything we dont trust is closed, or at least that the ports are blocked by our firewall.
Here is my firewall rules in the GUI app:
From this image we see that my only open ports are:
22 for ssh
4000 for nx
3389 for rdp
So we can see there is some discrepancy between my rules and what is listening.
So in my case I am intelligently reviewing the rules and only changing what is appropriate. I decided to delete rule opening port 4000 from the firewall application and remove the teamviewer application from my box so that it is not listening or doing anything on my box. I felt this was appropriate in my case, however you might make different or more or less changes.