Do you need a firewall when you are behind a router? If the ports are not forwarded to the pc then the firewall on the pc does not have to block them and if they are forwarded then you probably don't want to block them...

Is there any problem with letting all applications have access to the internet? If you have an application that wants the internet and you don't want to give it access then do yo need that application? You are much less likely to gain any applications that will do anything malicious on the network if you are careful when browsing on-line and with what you download/install.

This all assumes you are already behind a router and never on a public network (like with a laptop).

Is anything listening on that port? If not then it will appear closed from the outside world.

Never understood the question of why you need a software firewall behind a router. The router firewall is hardly sufficent imo. It may provide some security but with out full control what good is a firewall? Just my oppinion. As far as fowarding the ports to the pc, I thought that was clear from my op. As I said the port is open on the router, and the firewall.

Call me paranoid but I like full control over the network traffic. If this is not possible, imo windows is light years ahead of *nix in that regard.

I dont ever recall actually needing an application open using that port to get success on windows. Is this a *nix thing?


On a side note, never understood why people cant atleast answer a question even if they dont agree. Personally, I am always glad to help but also throw my 2 cents in.

Sent from my DROID2 Global

What protection do you require from it that you cannot get from the router? It basically blocks or allows ports, by default routers then to allow all outgoing ports and blocks all incoming ports so unless you have something untrusted on the internal network do you need to block incoming ports to the computer? And unless you have something untrusted on your computer do you need to block outgoing ports from it? I know you can get more fancy with different configureation like blocking applications on different ports but do you really need anything more advanced on a home network? I often just find they are more hassle then they are worth.

You can get full control, it is just more complicated in linux as most people don't need such control. You should be able to do everything from ufw but I do not know of anything that will prompt you when an application tries to access the internet. I also have to question that usefulness of this on windows? Most users just click ok without paying attention and the more advanced users generally never get applications that they don't need to click yes to (at least I have never seen anyone click or need to click no to them ^^).

Also if you want true control you can get wireshark and watch what packets come and go from your computer and find out what applications you actually need to get rid of/block. The best way to know if you actually require a firewall is to watch the network yourself

That is one reason a firewall isn't needed as much on linux, all ports are closed unless an application is listening on them.

Sorry, I don't know the answer directly, but I have never seen an application do this on linux, but then I don't generally use firewalls on linux to begin with so they might be able to.

You might want to read into the following applications;

• Firewall Builder
• kcm-ufw
• Gufw
• Firestarter
• Guarddog

What do I require that a router doesn't offer? I think that has been made more then obvious...per application based control. Correct me if I am wrong, but with a router, port 80 would need to be open at all times correct? So all an application has to do, malicious or otherwise, is request access on port 80 to get through. Furthermore, it is not so much what I require, but rather what I want. Call me a control freak, but I like to know exactly what is requesting access to the outside world. Now granted, with linux, the threat of malware is far far less then that of window, BUT that risk still exist does it not? It's not all about what is on my system but rather what might slip through the cracks. One such example, in windows I used ESET Nod32 which would occasionally filter out adds because of malicious content. Now they might have been false positives, they might have been malicious to windows users not *nix users, but the old saying comes to mind here, "better safe then sorry."

We could go at this forever, but whats the point? I made it clear what I would like. If it is not possible, so be it, but sitting here debating the issue just wastes your time and mine. Personally I would rather spend my time better ways.

Not the ideal solution but I suppose it gets the job done for now. Thanks for the idea.

There is a difference between "as much" and "not at all."

3 out of 5 I had tested before coming here, and saw no such linux. Thanks for the suggestions part of your post. Will check in to them here shortly.


More importantly, kTorrent is running looking for access on port 60000, it's open in the firewall, and the router but the site still claims I port 60000 is open. I even disabled ufw and still am not bale to get the port open. I checked ifconfig and it says my (internal)ip is 192.168.1.140 which is the internal IP set for that port in the router(Linksys E2000 running latest TomatoUSB Firmware Build by Toastman).

You might want to read into the following applications;

• Firewall Builder*
• kcm-ufw
• Gufw*
• Firestarter*
• Guarddog

Basically all of these applications are front-ends to iptables, which does the actual firewalling.
I have, in the past, done some manual configuration on this because, for one reason or another, the various front ends didn't do the job. Also be aware that anything to do with iptables needs to be done sudo or kdesudo, or it won't take effect, and may also require a reboot or a networking restart to take effect.

Regarding iptables, google/duckduck are your friends, as there is a boatload of information out there. Might just as well learn how to do it from the command line, as like I said, some things just don't seem to fly through the gui's.

Delete please. Misinformation.

I was using kdesudo when dealing with these frontends and ufw itself from the command line. Correct me if I am wrong, but as long as ufw reports the port open, I dont actually need to mess with iptables do I?

As I understand it, ufw is a "rule manager" for iptables. I've been wrong before.

Yeah, I would think if UFW reports the port open, then it is open. Can you ping it from your own machine?

Edit: install the hping3 package, then

sudo hping3 -s 60000 localhost

Edit: I'll get it right eventually...

And alternatively:

telnet localhost 60000 (or whatever port you are checking)

Output from sudo ping3-s 60000 localhost looks good:
However telnet doesnt look so good:
That is with ufw disabled, but just for the sake of troubleshooting here is the out put of sudo ufw status

"Connection refused" generally means there is no process listening on the target port for incoming connections, not that the connection is blocked by a firewall.

Firewalls usually, in their default configuration, DROP packets (resulting in timed out connection atttempts) rather than a REJECT reply (connection refused).

EDIT: you can inspect currently running services that listen to incoming connection with (for example):
State=LISTEN means the process is a network service listening on a specified port.

I think some clarification is in order here.

When discussing topics like firewalls and rules and such, it's very important to use complete and precise language. Consider the following:

This is actually not enough information to make a security assessment, because:

• we don't know which direction you're concerned about
• we don't know what you're thinking when you say "request access on port 80" -- is the connection coming from source port 80, or going to destination port 80?

An Internet connection is a five-touple that defines transport protocol, source IP address, source port, destination IP address, and destination port. The notation is {protocol from=source-IP:source-port to=dest-IP:dest-port} and I will use this format in the ensuing discussion.

When a client behind a NAT router makes an outbound request to a web server on the Internet, the client establishes a connection using an ephemeral port on the client (a port number between 32768 and 61000 on Linux by default). You don't need to open any holes in the router because the router will dynamically create a rule pair with the following characteristics:

• OUTBOUND {TCP from=client-IP:client-port to=server-IP:80}
• INBOUND {TCP from=server-IP:80 to=client-IP:client-port}

The first rule permits outbound traffic from the client to the web server. The second rule permits reply traffic from the web server to the client. The router tracks the session, and when it times out (no traffic on the socket after a while), the router deletes the rule pair.

Static rules are required in firewalls and NAT routers when a host behind the router/firewall needs to accept incoming connections. Imagine that you're running a web server, and it's listening on the standard port 80/tcp. You would define a rule pair with these characteristics:

• INBOUND {TCP from=any:any to=server-IP:80}
• OUTBOUND {TCP from=server-IP:80 to=any:any}

If this were the only rule pair on the firewall, then any traffic not matching the rule will be dropped. If your web server's IP is 2.3.4.5 and it's listening on port 80/tcp, a datagram addressed to 55.66.77.88:80/tcp would be discarded, because the destination address doesn't match what you defined in the rule. Similarly, a datagram addressed to 2.3.4.5:999/tcp would be discarded, because the destination port doesn't match what you defined in the rule.

If you had this rule pair, but you have no computers behind the firewall that match the rule, then the rule is absolutely useless, because there's nothing for the firewall to forward traffic to.

The notion of "open ports" on host doesn't make sense. A host will establish a listening socket on a port when it needs to accept an inbound connection. A host will establish a transmitting socket on a port when it needs to create an outbound connection. The notion of an "open port" is meaningful on NAT routers and firewalls, inasmuch as the term means there exists a rule that specifically permits or denies traffic involving hosts listening on or connecting from that port.

It's probably worth exploring in some detail how the Windows firewall works. (Much of the following is written in the first person plural, because I was working in the Trustworthy Computing group at Microsoft when these features were designed and implemented.)

On Windows XP, we designed the firewall to always permit outbound connections without asking permission. For a long time, people would debate this point, insisting that the firewall was policing outbound connections. I can assure you this was never the case.

When the Windows XP firewall raises a dialog, it's because the network stack has detected that an application is establishing a listening socket, awaiting incoming connections. The firewall is alerting you to this, and you have the opportunity to permit it or deny it.

We changed the firewall considerably in Windows Vista and 7. The default behavior is to perform the same way it did in Windows XP.

Additionally, you can create rules to permit or deny specific kinds of outbound connections. This is not a security feature but instead it is an administrative feature. What do I mean by that? Keep reading.

Outbound application control, made popular by host firewalls like Zone Alarm, provides a feeling of being secure without actually improving the security of a system or reducing its infection risk. If you see a popup that says "Notepad.exe would like to connect to the Internet, do you wish to allow this?" you need to realize that your computer is already pwn3d! You've lost: malware successfully made it onto your computer, and now it's trying to do something. Better malware isn't so visible: it hijacks existing permitted sessions, or it just disables the host firewall. Outbound application control is pure security theater.

Administratively, though, it's useful. Imagine that an enterprise's security policy prohibits consumer-grade instant messengers. One way of accomplishing the policy is to configure outbound host firewall rules that, for example, deny corporate PCs from logging into Yahoo Messenger. This is the scenario we had in mind when we added this facility to the host firewall in Vista.

kTorrent was open and listening on the port. I made sure of that. I actually was editing my last post and got distracted. I ended up getting it working. I *think* it came down to needing to restart ufw. Thanks for the tip though. Always

You pick my lesser detailed post and then mount a soapbox over it? I could have sworn in a previous post before that, I stated I wanted FULL control over the network. I would think that would be pretty clear.

I never said *THE* windows firewall. I said *A* windows firewall as in the later mentioned Zone Alarm or other third party firewall. In particular I was thinking of a far better product in Comodo Security. I realize I was vague, and I realize this is nitpicking a bit. Annoying though isn't it?


Well of course they do not reduce the risk of infection. A firewall, by definition, is about controlling network access. It is not about protecting your system from infection. That was why I had No32 running real time scans while Malwarebytes did daily scans just in case something slipped through the cracks.

You come here with a problem statement that didn't have enough detail, and when we ask for more information, you chastise us for not answering the question? Then when we take the opportunity to add additional background information for the benefit of all members, you presume to divine our intent with language like "soapbox" and "annoying nitpicking"? I realize you're new here, but you aren't getting off to a very good start.

Steve that's the best, and most succinct, explanation of an IP packet transfer that I've ever read -- very nice job!