Which is better....open port or open service?

[backroger]

Hi Guys....

Just to ask your expert opinion....which is better to open....the port or service? Applicable to all service like web, samba, etc...

Example:

Is it better to open port 80 or WWW.

Any comment or opinion will be much appreciated.

[crackers]

I think you've got a couple of things mixed up. A "service" is a program that will typically provide some sort of connection over a "port" - the two are not the same thing, though. I could run a web server (aka "www service") and make it use port 8080 instead of the default port of 80. And I can open port 80, but not run the web server - which means there's an open port, but no information can go in or out because nothing's "listening" to that port.

[backroger]

Ops....sorry my bad.....

Okay......let say you have only two choices in broadcasting your Web Server in the Firestarter Firewall...either you open your port 80 or set your WWW to "trusted service".

Which well be the most secure? Granted that you have applied patches/hardening setting/etc. It will boils down to that 2 choices only.

What will it be?

Thank you in advance.

Quote:

Originally Posted by crackers

I think you've got a couple of things mixed up. A "service" is a program that will typically provide some sort of connection over a "port" - the two are not the same thing, though. I could run a web server (aka "www service") and make it use port 8080 instead of the default port of 80. And I can open port 80, but not run the web server - which means there's an open port, but no information can go in or out because nothing's "listening" to that port.

[Void Main]

Actually Crackers he's right. The standard ports have names and they reside in /etc/services. To answer your question it doesn't make any difference whether you do it by name or by number, the name resolves to the number anyway based on what is in /etc/services. Sort of like when you connect to a host by name it actually resolves to an IP address to actually make the connection.

[crackers]

No, those aren't the "names" of the ports - those are the standard services that use those port numbers. They are still not the same: the file is named "services" and the first line before the data is

Code:

# service-name  port/protocol  [aliases ...]   [# comment]

That file is a service-to-port mapping and that's all it is.

(Yes, I'm being pedantic and overly picky, but part of the educational process is learning the correct terminology.)

[Void Main]

If you ask me what you are referring to as "services" are actually "daemons". That's what they have been called since I started doing this 20 years ago and it wasn't until recently some distros started calling them services, and sadly probably because Microsft had services starting with NT. I would have preferred the name stayed as "daemon". The services files is to ports much like what the hosts files is to IP addresses. It gives the port a name. What I said is true, you can use the port number or name wherever they are needed as they will be resolved to the number (if the name/number exists in /etc/services that is). Just like the gethostbyname() function is called when you connect to a host using it's name the getservbyname() function is called when you reference a port by name. For instance you can telnet to an smtp service on a host by either:

$ telnet yoursmtpserver 25

or

$ telnet yoursmtpserver smtp

The second one will require a getservbyname() to be called to resolve the port number from /etc/services. Likewise you can use either "80" or "www" in your firewall rules to block port 80. This is what the original poster was asking. You are correct that if he is running his web server on a non-standard port that using "www" in your firewall rules but that's not what he was asking (at least the way I read it).

A man on "getservbyname" has an interesting line:

Quote:

The getservbyname() function returns a servent structure for the line
from /etc/services that matches the service name using protocol proto.
If proto is NULL, any protocol will be matched.

If you would like to expand on this a little further protocols are in the same boat. They can be referenced by name or number based on what is in /etc/protocols, and guess what function resolves protocol names. That's right "getprotobyname()".

See "man gethostbyname", "man getservbyname" and "man getprotobyname"

[crackers]

Oooch - ya got me! It's been about 10 years since I did any C programming and I'd never gotten into ports/services even then. And yes, I agree - daemons are much more descriptive and it's probably Microsoft's munging that caused the terminology to shift.

On the other hand, I'm heavily into SOA right now, so my paradigm shift is that everything listening on any port is a "service"...

[Void Main]

Quote:

Originally Posted by crackers

On the other hand, I'm heavily into SOA right now, so my paradigm shift is that everything listening on any port is a "service"...

You are right about that. You are also right that the process (daemon if you will) can listen on ports other than what it was originally intended for. Your Apache example is a good one in that it doesn't have to listen on 80 for non-ssl traffic and port 443 for ssl traffic. You can put it on any port you want but then you are using "non-standard ports" for that "service". The /etc/services are basically for "standard ports" list. I guess the point is, there is some gray area on terminology, especially if you don't put it into some sort of context. I guess the RFCs are usually where one would point for definitive answers (unless you work at Microsoft).

[LiNuX-CrUsAdEr]

In short, there is no difference defining either the port number or port's name when creating security policies. But I suggest that you use port number instead especially if you are running your daemon(i prefer this name instead of service) on a non-standard port to be more accurate and also at the same time avoid resolution of port name to number.

[backroger]

You hit the nail!!!.......I wanted to clarify this...since I'm still a noob. I need to shed a light on this since I don't know how things work in setting the "Trusted Device in WWW" is better than "enabling on the port 80".

If I enable the "Trusted Device in WWW" it mean any "WWW" transaction or connection no matter what port they are using it will still get access to my box...from 1-1024.

If I "enable the port 80" any other daemons (or service) can use it to access my box....whether it is sshd/smb/www...etc.

Is this understanding correct?

Quote:

Originally Posted by LiNuX-CrUsAdEr

But I suggest that you use port number instead especially if you are running your daemon(i prefer this name instead of service) on a non-standard port to be more accurate and also at the same time avoid resolution of port name to number.

[LiNuX-CrUsAdEr]

Quote:

Originally Posted by backroger

You hit the nail!!!.......I wanted to clarify this...since I'm still a noob. I need to shed a light on this since I don't know how things work in setting the "Trusted Device in WWW" is better than "enabling on the port 80".

If I enable the "Trusted Device in WWW" it mean any "WWW" transaction or connection no matter what port they are using it will still get access to my box...from 1-1024.

If I "enable the port 80" any other daemons (or service) can use it to access my box....whether it is sshd/smb/www...etc.

Is this understanding correct?

I think we really got things mixed up here. First thing first, the policy you are creating is for inbound or outbound traffic?

[LiNuX-CrUsAdEr]

Also, what firewall are you configuring? Is it the in the box firewall of FC or third party firewall software, like Firestarter 1.0?

[backroger]

Firestarter 0.93.....for RHEL AS 3.0 Update 4. As for Inbound & Outbound...umm...Firestarter 0.93 has no setting for that unlike....the manual Iptables.