2

I am trying to give better security to my Raspberry sever. When I installed UFW, I allowed just port 80/tcp and my own high port for SSH communication, and by default are all others ports "deny".

Then I scanned my server with nmap, and I found out that every UDP port is open. I don't know if I must close these ports, and if UDP ports are dangerous to me.

I just want to provide Web server and SSH.

Could I leave UDP ports open or not?

Why UFW has not close UDP ports at default settings if they are dangerous like TCP ?

Is enough if I block just INCOMING connections?

forest
  • 64,616
  • 20
  • 206
  • 257
S3jp4kCZE
  • 43
  • 5

2 Answers2

2

10/udp open|filtered unknown

In NMAP lingo.

"open" means that a service appears to be running on the port.

"closed" means that the port appears to be unused.

"filtered" means that traffic to the port appears to be being filtered out by a firewall.

For regular TCP scans NMAP can distinguish between all these states because the TCP implementation in the operation system will always respond to a connection attempt either positively or negatively.

For UDP scans the OS will respond to packets sent to closed ports but for open ports the OS will simply pass the packet to the application silently. The application may or may not respond.

So for UDP scans NMAP can't tell the difference between a port that was filtered by the firewall and a port where the packet was delieverd to the application but the application didn't respond. Therefore it reports lack of response as "open|filtered".

But i do not understand why nmap response "closed" on rule which is "allow" (in the udp port)

Because the packet makes it through the firewall but is rejected by the UDP implementation as no service is listening on that port.

Peter Green
  • 4,918
  • 1
  • 21
  • 26
1

The way that nmap works, it will report UDP ports as open, but they might not be.

If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.

source

So, chances are that the ports are properly blocked. Your server just isn't sending any packets back to the scanner.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thank for answer . And why when my UFW has not any rule for UDP port 10 ,nmap says that the port is "open|filtered" , but when i set firewall's rule for UDP 10 on allow ,my nmap says that the port is closed . But rule at UFW on raspberry is "allow" for this port ... Why nmap says closed ? – S3jp4kCZE Nov 16 '18 at 20:27
  • Just like the quote says, with no firewall rule and no service running, your server will simply not respond, resulting in `open|filtered`. With a firewall rule, the firewall responds saying that it is closed, so nmap reports `closed`. – schroeder Nov 16 '18 at 20:33
  • I understand that when i set some firewall rule on UDP port ,so nmap get response from this port because firewall on server using the port. So i expect that when i set "allow port" => nmap says me "the port is open" ,or when i set "deny" => nmap says "the port is closed" and when i do not set any rule nmap says "open|filtered" because no service use this port . But i do not understand why nmap response "closed" on rule which is "allow" (in the udp port) ,i expect that answer "closed" is just with "deny" rule. – S3jp4kCZE Nov 16 '18 at 20:50
  • do you have a service running on that port? – schroeder Nov 16 '18 at 20:56
  • no , i don't have any service on that port – S3jp4kCZE Nov 16 '18 at 21:07