In the light of UK regulations I'm setting up firewalls.
My ADSL router is quite basic (no wizards) but gives the important allow/deny facility.
Choosing 'deny all' except what allow I have allowed incoming port 53 (DNS),80 (HTTP) and 443 (HTTPS) and initially allowed all out - no problem - everything works perfectly. Naturally (?) I want to know what goes out so I started to restrict the range of allowed outgoing ports - generally the fewer ports open the slower the response from websites. I find that with 1..52000 allowed most but not all websites will work. It is possible my adsl box is compromised - also my operating system ('raspian' on a raspberry pi) but my trusted Ubuntu 14.04 does the same thing. I can't isolate which ports are involved because it seems sometimes a site is slow but gets there and sometimes it doesn't.
I'd expected three ports out and three in to be sufficient - clearly my setup isn't working like that - am I infected with something horrible or is this normal?
Take a peek at the last comment in this thread:
https://askubuntu.com/questions/915913/w...erbird-use
That should give you an idea of how to pull the ports (and end destination IP's) from any applications you are running. It's difficult to say what ports you do or don't need.
You could consider that anti-virus programs will likely use ports to update their program or (as with some web browsers now) some tests to see if a URL is malicious can require having the URL sent to their server to check it (again requiring specific ports)
It's actually easier tightening outgoing than incoming ports, since while a web browser will use 80 (Outgoing) to initialise a connection, it can return with other randomly assigned port numbers to help spread the websites asynchronous load so the page loads faster (A port per image, page etc). If you truly want to lock a browser down to access through one port, then you'll likely have to run it through a proxy (where it redirects the randomly assigned ports to the one you allow)
It should be noted that as standard *nix systems will not respond to any port calls if the ports aren't assigned to a server (a program) listening on them, so by default you don't have to tell it to deny ports that have nothing on them, however I can understand if you are worrying about compromised programs it makes sense to lock it down "just in case".
As for "Infections", there are a couple of thing to look for such as lots of data connections going to shading IP addresses and high processor usage for programs that you don't usually use or have never heard of before.
You can probably also find a list of web sites to avoid.
some websites actively seek to return pings through different ports to snoop on you.
it became quite common some years back.
someone probably has a list of those and will likely include all the big commercial web sites like ebay, amazon etc.
phone home trojans are the biggest issue in standard over the counter games and software products, also loaded from many shopping web sites.
you may find you need to actively deny access while browsing (some)sites which you may wish to view but have snoopy crap in them.
its EXTREMELY common
router jacking would be for scamming most likely.
can you delete and then load your own operatng system for the router ?
that would probably sort the bulk of that out.
Many thanks for the excellent answers.
From the link given by Stryder
https://askubuntu.com/questions/915913/w...erbird-use
while true; do clear; netstat -anp | grep firefox | grep : | awk '{print $5}'; sleep 1; done
I see the BBC need to tell just about everyone what you are looking at. When I look now they all seem to be on port 80 or 443 - this morning I'm sure I saw many more ports being used. ???
Unfortunately I can't update my raspian software as there's no mysql odbc in the new version. I'm thinking of something clever along the lines of a sacrificial raspberry (a computer) connected to the office net via ssh or vnc. Time passes.
gufw is a really natty firewall configger (sorry, Linux only).