1

I'm using Hetzner for a server which only needs 80/443 and 22 accessible to the outside world. When I use the Hetzner firewall template, it also adds:

  • protocol icmp, which I think is for ping
  • ports 32768-65535 are open with a tcp flag of 'ack'

AWS seems to close down everything, including ping.

  • Is there any reason to have ports 32768-65535 open and what does 'ack' mean ?
  • Should protocol icmp be disallowed?

The Nginx server is running https and 80 is redirected to 443. Is it best practice to leave 80 open and redirecting to 443, in case traffic comes in on 80, or should 80 also be closed?

Screenshot of ports

port5432
  • 173
  • 2
  • 5
  • 17
  • 1
    For tcp ack on Hetzner it's right there on their homepage: https://wiki.hetzner.de/index.php/Robot_Firewall/en#Out-going_TCP_connections including an example. – Lenniey Apr 10 '19 at 12:36

1 Answers1

5

Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.

There is a website dedicated to argue that ICMP should not be blocked.

ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.

These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.

Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39