Port open shows Gufw (dhclient), wanna close

Discussion in 'Linux' started by psi7, Jul 17, 2019.

  1. psi7

    psi7 MDL Novice

    Oct 19, 2018
    26
    2
    0
    Hi there MDL

    On Linux, I have ufw configurent most common way incoming=deny, outgoing=allow. I want that no ports are open, in other words no services are listening to outside.
    But in Gufw Report, I see:
    Code:
    Protocol: UDP Port: 68 Address: * Application: dhclient
    Looks like dhclient is listening to port 68. Is this mandatory for system to work (web browser), or how can i close this port?

    Linux Ubuntu Bionic
    Ufw
     
  2. windsman

    windsman MDL Expert

    Jan 11, 2010
    1,382
    1,145
    60
    You must keep-it open if you use DHCP otherwise you lost your internet connection (web browser.......), port 68 is used for receive udp packets on port 68.
    If you don't use DHCP, simply remove dhclient.

    windsman.
     
  3. psi7

    psi7 MDL Novice

    Oct 19, 2018
    26
    2
    0
    Thanks windsman - in what circumstances I wouldn't need to use DHCP?
    I searched Synaptic for dhclient by name and description and found no such installed packages. Maybe it's other daemon working, but just interesting, which.
     
  4. windsman

    windsman MDL Expert

    Jan 11, 2010
    1,382
    1,145
    60
  5. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,679
    11,752
    340
    #5 Yen, Jul 20, 2019
    Last edited: Jul 20, 2019

    I don't get that. What do you mean by 'outside'?
    The DHCP server that runs on the router assigns IP configuration dynamically to the clients of the LAN if enabled.

    Speaking of the WAN side: If your ISP assigns IP addresses dynamically there might be UDP 68 communications from their DHCP server to assign your IP address dynamically.

    It makes no sense to disable / give up your DHCP server on the router and to remove the service on the client using a static IP address. Your DHCP server / DHCP clients are related to LAN.

    Important is if port 68 is open to a portscan from outside. (WAN)

    To reach your client via UDP 68 from 'outside' you usually need to have port forwarding configured explicitly.

    Or am I mistaken?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    3,925
    4,378
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. psi7

    psi7 MDL Novice

    Oct 19, 2018
    26
    2
    0
    Right that ISP assigns a dynamic IP - this is what can be accessed from "outside". I'm leaving dhclient as it is then.
    My expertise in not enough to decipher "WAN" word:hmm:.
    Thanks.
     
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,679
    11,752
    340
    #9 Yen, Jul 22, 2019
    Last edited: Jul 22, 2019
    LAN = Local Area Network
    WAN = Wide Area Network

    LAN is usually your home network. WAN here means 'the internet'. (Or at least the network that belongs to the ISP).

    Or in other words: LAN is the network that's behind the router.
    There is NAT (Network Address Translation). Your client for instance has another (local/private) IPv4 address as it has when being 'outside', namely the public IP address your ISP has assigned to you. On IPv6 the clients can have the same addresses, though. (Global Scope Addresses for LAN and WAN).

    You actually do not need to restrict any port within your LAN. You only have to secure your WIFI and you have your router OS being up to date.
    Your clients within LAN can communicate to a server within LAN (local connections). It makes no sense to disable a useful service such as DHCP, especially on IPv4. On IPv6 there is an alternative SLAAC (Stateless Address Autoconfiguration).

    The important question is always: What is accessible from the internet, from outside, from the WAN side. A potential attack usually comes from 'outside'.

    There might be one situation where one needs static IP addresses within the LAN:
    You want to reach a client from outside (For instance via VPN). Therefore you need to know the local IP address (and the current public IP address / fixed internet address if configured).

    But here you can leave DHCP enabled since most routers have the option: Always use this (local) IP address anyway.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...