Ports

Most people have an intuitive understanding of ports that is basically correct.   Ports are portals on a computer through which communication from other computers arrives and from which information for other computers is sent out.

It is my pression that there is much imprecision throughout the Internet when talking about ports, specifically when talking about ports as being either open or closed. The problem with the terms open and closed is that they are too binary. A better choice of words would be the expression "accessible by default" or "inaccessible (blocked) by default", which admittedly is a bit wordy. The reason for such a wordy expression is to emphasize that there can be traffic through a port blocked by default, as well as blocking of traffic to a port that is accessible by default.

The most egregious misuse of language on the Internet is when some speak of using a firewall to open ports.   A firewall does not open or close a port.   It either blocks or makes available access to or from a port.   That is, after all, generally what a "wall" is for.   The responsibility for opening ports lies with the server software.   The firewall controls whether traffic may flow through those ports.   So yes the firewall settings are extremely important.   No sense having the server open the relevant ports only to have the firewall block access to them.

Here is a good a place as any to address the important subject of testing for open ports.   Since we are generally interested in knowing if our port is open to the outside world, it makes sense to use an Internet-based tester. There are several choices available.   One that I have found to be invariably accurate and very useful is that of yougetsignal.com.

If like me, you prefer command-line tools, the problem gets a little more complicated because of 1) the confusion I referenced above, and 2) you need to be external to the machine you are testing.   For example, it has been said that "sudo lsof -nP -iTCP -sTCP:LISTEN" lists open ports.   I think this is wrong.   I think that command only tells you which ports server software is listening to, not whether the ports are blocked by default by a firewall.   Similarly, "nmap domain.tld" is purported to show which ports are open but, it will only work when run from a machine external to domain.ltd.

I have written a very simple bash script which gives me accurate reports on the main ports I am interested in, so long as I run it from a machine separate from the server I want to test.   It is reproduced below and you are welcome to copy/paste it to your computer and use it.   I call the script etportchk, and the command "etportchk" with the single argument, the server's "internal-ip", when run from a networked computer other than the server, seems to provide accurate information on open ports, agreeing with the information provided by the Internet tester referenced above.

#! /usr/bin/bash
serverip=$1
localip=$(ifconfig | grep inet | head -n 1 | awk '{print $2}')
if [[ $localip == $serverip ]] ; then
echo "This command issued from this computer will not provide the correct information!"
else
for port in 21 22 25 53 80 443 465 995
do
nc -z -v $serverip $port
done
fi

Return to menu     Next in series    
| Emmes Technologies Home |