Hi there MDL On Linux, I have ufw configurent most common way incoming=deny, outgoing=allow. I want that no ports are open, in other words no services are listening to outside. But in Gufw Report, I see: Code: Protocol: UDP Port: 68 Address: * Application: dhclient Looks like dhclient is listening to port 68. Is this mandatory for system to work (web browser), or how can i close this port? Linux Ubuntu Bionic Ufw
You must keep-it open if you use DHCP otherwise you lost your internet connection (web browser.......), port 68 is used for receive udp packets on port 68. If you don't use DHCP, simply remove dhclient. windsman.
Thanks windsman - in what circumstances I wouldn't need to use DHCP? I searched Synaptic for dhclient by name and description and found no such installed packages. Maybe it's other daemon working, but just interesting, which.
I don't get that. What do you mean by 'outside'? The DHCP server that runs on the router assigns IP configuration dynamically to the clients of the LAN if enabled. Speaking of the WAN side: If your ISP assigns IP addresses dynamically there might be UDP 68 communications from their DHCP server to assign your IP address dynamically. It makes no sense to disable / give up your DHCP server on the router and to remove the service on the client using a static IP address. Your DHCP server / DHCP clients are related to LAN. Important is if port 68 is open to a portscan from outside. (WAN) To reach your client via UDP 68 from 'outside' you usually need to have port forwarding configured explicitly. Or am I mistaken?
Right that ISP assigns a dynamic IP - this is what can be accessed from "outside". I'm leaving dhclient as it is then. My expertise in not enough to decipher "WAN" word. Thanks.
LAN = Local Area Network WAN = Wide Area Network LAN is usually your home network. WAN here means 'the internet'. (Or at least the network that belongs to the ISP). Or in other words: LAN is the network that's behind the router. There is NAT (Network Address Translation). Your client for instance has another (local/private) IPv4 address as it has when being 'outside', namely the public IP address your ISP has assigned to you. On IPv6 the clients can have the same addresses, though. (Global Scope Addresses for LAN and WAN). You actually do not need to restrict any port within your LAN. You only have to secure your WIFI and you have your router OS being up to date. Your clients within LAN can communicate to a server within LAN (local connections). It makes no sense to disable a useful service such as DHCP, especially on IPv4. On IPv6 there is an alternative SLAAC (Stateless Address Autoconfiguration). The important question is always: What is accessible from the internet, from outside, from the WAN side. A potential attack usually comes from 'outside'. There might be one situation where one needs static IP addresses within the LAN: You want to reach a client from outside (For instance via VPN). Therefore you need to know the local IP address (and the current public IP address / fixed internet address if configured). But here you can leave DHCP enabled since most routers have the option: Always use this (local) IP address anyway.