Is it secure to keep open ports 1714:1764 in Gufw firewall?

[Wirtualny]

I have installed KDE Connect and configured the Gufw firewall, opening TCP and UDP ports 1714:1764 for this software. I thought, in any case, that this was how it worked, because typed in the Gufw interface the name of the application for which I was opening these ports.

Then I opened the /etc/ufw/user.rules file and saw this:

Code: Select all

### RULES ###

### tuple ### allow tcp 1714:1764 ::/0 any ::/0 in
-A ufw6-user-input -p tcp -m multiport --dports 1714:1764 -j ACCEPT

### tuple ### allow udp 1714:1764 ::/0 any ::/0 in
-A ufw6-user-input -p udp -m multiport --dports 1714:1764 -j ACCEPT

### END RULES ###

I was shocked not to see ‘KDE Connect’ in above-mentioned rules. I thought I was opening these ports in the firewall for a specific application, because I wrote its name in the GUI with configuration of rules in Gufw. Meanwhile, I see that it doesn't work that way. Ports are opened without being restricted to a specific program!

In other words, I thought that in a house having three doors, I give the key to one of the doors to one trusted neighbour. Now, it seems to me that in a house with three doors ... one door is left open for whoever pulls the handle. Is this metaphor correct?

Is it possible to set more restrictive rules in the firewall, e.g. rules that distinguish (even directly) between the real traffic from KDE Connect and potential attack traffic on ports typically used by KDE Connect? If possible, I would ask for a template of enhanced rules for the firewall.

Maybe is it possible to leave these ports open, but restrict only for the traffic from my particular devices, not for the whole internet?

Maybe it would be a good idea to protect KDE Connect differently, e.g. with AppArmor? Does it make some sense?

[fehlix]

I was shocked not to see ‘KDE Connect’ in above-mentioned rules. I thought I was opening these ports in the firewall for a specific application, because I wrote its name in the GUI with configuration of rules in Gufw.

The linux kernel packet filtering "firewall" is based on nftables framework ( and for backward compatibility with a "wrapper" of iptables rules). ufw and gufw, are just tools to formulate the rules in more user-friendly way.
And the packet filters have no idea which application caused these packets.

[DukeComposed]

I have installed KDE Connect and configured the Gufw firewall, opening TCP and UDP ports 1714:1764 for this software.

OK.

I was shocked not to see ‘KDE Connect’ in above-mentioned rules. I thought I was opening these ports in the firewall for a specific application, because I wrote its name in the GUI with configuration of rules in Gufw.

Where, exactly, were you told that your firewall had this feature? Post links if possible.

Maybe is it possible to leave these ports open, but restrict only for the traffic from my particular devices, not for the whole internet?

That's probably what you should have done from the start. It looks like this is all IPv6-based, and it's unlikely but not impossible you simply don't have an IPv6 connection to the outside world. If you're a home user I'm guessing you haven't opened up traffic to these ports on your router or cable modem and forwarded them to the machine with the firewall rules set, so I'm not convinced this is a huge security problem.

In the future you may want to read up on how stateful packet filters work and why the OSI layers exist.

[CharlesV]

Firewall ports are not designated to specific applications. The GUFW interface allows you to *choose* which ports you want BY the application. But it still only opens the port(s) specified *** by that application ***

And to answer your question, yes you can be more selective about “who has a key” to the door.

Most likely, your computer is on a local network, and not open to the internet as Duke mentioned. If this is so, then opening ports on your machine only opens ports to your local network and not to the internet.

If you want to choose only certain ip’s to connect to your machine / port, then you have to specify which machines in the source area ( “From” field in GUFW ) of your firewall rule.

With proper configuration you can restrict ports to be used only by certain computers, or via certain ports etc… it is highly configurable – and can get complex rather quickly too

I would suggest doing some reading of how linux firewalls work, and not try to change security until you have read some.

https://ostechnix.com/how-to-setup-fire ... x-desktop/


https://fullscale4me.com/uncomplicated-firewall.pdf

[fehlix]

Is it possible to set more restrictive rules in the firewall, e.g. rules that distinguish (even directly) between the real traffic from KDE Connect and potential attack traffic on ports typically used by KDE Connect? If possible, I would ask for a template of enhanced rules for the firewall.

Maybe is it possible to leave these ports open, but restrict only for the traffic from my particular devices, not for the whole internet?

Maybe it would be a good idea to protect KDE Connect differently, e.g. with AppArmor? Does it make some sense?

Ok, after you got now some response about ufw and co.,
maybb consider to look in so call "application" firewalls.
E.g start with OpenSnitch, that goes into the direction you may have in mind.

[Wirtualny]

@ALL
1) Yes, I know that I misunderstood how it works, and I admitted it at the beginning. It was the case of my misinterpretation of GUI. Not advanced user (like me) tend to choose for example "preconfigured" option. Then on drop down list such user finds "KDE Connect", and then may think heuristically and intuitively that ports are opened only for particular application.

2) If that ports are open only inside my local network, then it's not so bad.

@fehlix
3) Thank you for info about OpenSnitch. It seems to be good piece of software, but I think I should choose between Gufw and OpenSnitch instead running both of them? Has somebody from you - the power users - replaced default Gufv with OpenSnitch?

@CharlesV
4) Thank you for linking to ostechnix.com Besides the topic I haven't known this website, and now it's bookmarked and subscribed.

3) Since I have read a bit, I have a project of an approach basing on MAC address of particular second device. I haven't applied those rules yet, I would like you check it (and possibly improve) before I paste it to /etc/ufw/user.rules.

Code: Select all

-A ufw-user-input -m mac --mac-source 00:00:00:00:00:00 -p tcp --dport 1714:1764 -j ACCEPT
-A ufw-user-input -m mac --mac-source 00:00:00:00:00:00 -p udp --dport 1714:1764 -j ACCEPT

-A ufw-user-input -p tcp --dport 1714:1764 -j DROP
-A ufw-user-input -p udp --dport 1714:1764 -j DROP 

Thank you for your responses.

[LinuxSpring1]

@fehlix
3) Thank you for info about OpenSnitch. It seems to be good piece of software, but I think I should choose between Gufw and OpenSnitch instead running both of them? Has somebody from you - the power users - replaced default Gufv with OpenSnitch?

@Wirtualny , @fehlix this is something that I would also like to know.

Is OpenSnitch a replacement for Gufw? And assuming that there cannot be two firewalls running in a system, does UFW have to be disabled when OpenSnitch is used? Also does OpenSnitch use nftables or iptables or something else?

@Wirtualny I am also in the same boat. I need to restrict outgoing connections whether to the local network or internet on a per-application basis and on a per-protocol basis. UFW/GUFW does not appear to the ability to do so. Maybe because it uses NFTables.

[fehlix]

3) Thank you for info about OpenSnitch. It seems to be good piece of software, but I think I should choose between Gufw and OpenSnitch instead running both of them? Has somebody from you - the power users - replaced default Gufv with OpenSnitch?

this is something that I would also like to know.

You are welcome, to try both in combination out: firewall + app-based protection. And provide some feedback of your findings, about the way to achieve this.