I'm running a webhosting service with:

RHE+Cpanel, and running my own DNS.

1. TCP Ports

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,1040,2082,2083,2084,2086,2087,2095,2096"

or

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,993,995,2082,2083,2086,2087,2095,2096,30000_35000"

2. UDP Ports

IG_UDP_CPORTS="53"

or

IG_UDP_CPORTS="20,21,37,53,873"


Which one do you think would be necessary, and should any ports be added/removed?

Thank you in advance for your replies.

i use:

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,2082,2083,2084,2086,2087,2095,2096"
IG_UDP_CPORTS="53"

Originally posted by damainman
1. TCP Ports

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,1040,2082,2083,2084,2086,2087,2095,2096"

or

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,993,995,2082,2083,2086,2087,2095,2096,30000_35000"


If you are setting up a firewall, you should take the effort to go through the ports to learn what you are allowing and not allowing. I don't claim to be a security expert, but here's some info...

For example (with a couple additional to consider):
20 - ftp-data (I don't know of any reason you need to allow this as I believe this is always initiated outgoing)
21 - ftp
22 - ssh
25 - smtp mail
26 - smtp alternate port (enable if you enabled exim on port 26)
53 - dns (transfers required TCP)
80 - http
110 - pop3
143 - imap
443 - http ssl
465 - smtp ssl (enable if you want to allow secure smtp)
993 - imap ssl
995 - pop3 ssl
1040 - I'm not sure what you would have running on that port
2082 - cPanel
2083 - cPanel ssl
2084 - not sure what you would have there
2086 - whm
2087 - whm ssl
2095 - webmail
2096 - webmail ssl
30000_35000 - typical port range to allow PASV ftp access

Based on that, decide what you want to allow.

2. UDP Ports

IG_UDP_CPORTS="53"

or

IG_UDP_CPORTS="20,21,37,53,873"

You really only need port 53 open to allow DNS queries. 20, 21 (ftp) don't need to be open for FTP to work. 37 is time server, 873 is rsync (so only open along with TCP if you need to rsync from another machine, but I'd recommend against that... use rsync over SSH instead).

If you want incoming traceroutes to work, you need to open ports for that... something like:
IG_UDP_CPORTS="53,33434_33523"

Otherwise the last hop (your server) will never respond.

Make good use of the command "netstat -nlp" (as root for the "p" to work) to see what you have running on your server using what ports. And /etc/services to help you identify what's each port is generally used for.

Thank you both for your replies :) I really appreciate it. I had a list of every port, but misplaced it.

I really do appreciate you taking your time to answer my questions :)