Standard ports for web server The 2019 Stack Overflow Developer Survey Results Are InMSMQ Firewall PortsWhat ports should be left open on a web server?TCP/IP ports necessary for CIFS/SMB operationPorts used for Lync Edge serverForefront TMG 2010 RDP Connections without non-standard portsASA 5505 8.4 open ports for subnetWhich ports for IPSEC/LT2P?Outbound ports for a firewall for webserver and db serverTest port reachability from a remote host even though the port is not bound to a service?How do I block my server from performing port scans?

One word riddle: Vowel in the middle

Time travel alters history but people keep saying nothing's changed

Is a "Democratic" Oligarchy-Style System Possible?

For what reasons would an animal species NOT cross a *horizontal* land bridge?

Why can Shazam fly?

Output the Arecibo Message

Why hard-Brexiteers don't insist on a hard border to prevent illegal immigration after Brexit?

How to support a colleague who finds meetings extremely tiring?

Falsification in Math vs Science

Why did Acorn's A3000 have red function keys?

Is "plugging out" electronic devices an American expression?

Does a dangling wire really electrocute me if I'm standing in water?

Does the shape of a die affect the probability of a number being rolled?

Have you ever entered Singapore using a different passport or name?

Can a flute soloist sit?

Why isn't the circumferential light around the M87 black hole's event horizon symmetric?

Lightning Grid - Columns and Rows?

Is an up-to-date browser secure on an out-of-date OS?

Why do UK politicians seemingly ignore opinion polls on Brexit?

What is the closest word meaning "respect for time / mindful"

When should I buy a clipper card after flying to OAK?

The difference between dialogue marks

Are spiders unable to hurt humans, especially very small spiders?

What does ひと匙 mean in this manga and has it been used colloquially?



Standard ports for web server



The 2019 Stack Overflow Developer Survey Results Are InMSMQ Firewall PortsWhat ports should be left open on a web server?TCP/IP ports necessary for CIFS/SMB operationPorts used for Lync Edge serverForefront TMG 2010 RDP Connections without non-standard portsASA 5505 8.4 open ports for subnetWhich ports for IPSEC/LT2P?Outbound ports for a firewall for webserver and db serverTest port reachability from a remote host even though the port is not bound to a service?How do I block my server from performing port scans?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I'm using Hetzner for a server which only needs 80/443 and 22 accessible to the outside world. When I use the Hetzner firewall template, it also adds:



  • protocol icmp, which I think is for ping

  • ports 32768-65535 are open with a tcp flag of 'ack'

AWS seems to close down everything, including ping.



  • Is there any reason to have ports 32768-65535 open and what does 'ack' mean ?

  • Should protocol icmp be disallowed?

The Nginx server is running https and 80 is redirected to 443. Is it best practice to leave 80 open and redirecting to 443, in case traffic comes in on 80, or should 80 also be closed?



Screenshot of ports






firewall hetzner







share|improve this question

















  • 1





    For tcp ack on Hetzner it's right there on their homepage: wiki.hetzner.de/index.php/Robot_Firewall/… including an example.

    – Lenniey
    13 hours ago


















1















I'm using Hetzner for a server which only needs 80/443 and 22 accessible to the outside world. When I use the Hetzner firewall template, it also adds:



  • protocol icmp, which I think is for ping

  • ports 32768-65535 are open with a tcp flag of 'ack'

AWS seems to close down everything, including ping.



  • Is there any reason to have ports 32768-65535 open and what does 'ack' mean ?

  • Should protocol icmp be disallowed?

The Nginx server is running https and 80 is redirected to 443. Is it best practice to leave 80 open and redirecting to 443, in case traffic comes in on 80, or should 80 also be closed?



Screenshot of ports






firewall hetzner







share|improve this question

















  • 1





    For tcp ack on Hetzner it's right there on their homepage: wiki.hetzner.de/index.php/Robot_Firewall/… including an example.

    – Lenniey
    13 hours ago














1












1








1








I'm using Hetzner for a server which only needs 80/443 and 22 accessible to the outside world. When I use the Hetzner firewall template, it also adds:



  • protocol icmp, which I think is for ping

  • ports 32768-65535 are open with a tcp flag of 'ack'

AWS seems to close down everything, including ping.



  • Is there any reason to have ports 32768-65535 open and what does 'ack' mean ?

  • Should protocol icmp be disallowed?

The Nginx server is running https and 80 is redirected to 443. Is it best practice to leave 80 open and redirecting to 443, in case traffic comes in on 80, or should 80 also be closed?



Screenshot of ports






firewall hetzner







share|improve this question














I'm using Hetzner for a server which only needs 80/443 and 22 accessible to the outside world. When I use the Hetzner firewall template, it also adds:



  • protocol icmp, which I think is for ping

  • ports 32768-65535 are open with a tcp flag of 'ack'

AWS seems to close down everything, including ping.



  • Is there any reason to have ports 32768-65535 open and what does 'ack' mean ?

  • Should protocol icmp be disallowed?

The Nginx server is running https and 80 is redirected to 443. Is it best practice to leave 80 open and redirecting to 443, in case traffic comes in on 80, or should 80 also be closed?



Screenshot of ports






firewall hetzner




firewall hetzner






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 13 hours ago









ardochhighardochhigh

1221112




1221112







  • 1





    For tcp ack on Hetzner it's right there on their homepage: wiki.hetzner.de/index.php/Robot_Firewall/… including an example.

    – Lenniey
    13 hours ago













  • 1





    For tcp ack on Hetzner it's right there on their homepage: wiki.hetzner.de/index.php/Robot_Firewall/… including an example.

    – Lenniey
    13 hours ago








1




1





For tcp ack on Hetzner it's right there on their homepage: wiki.hetzner.de/index.php/Robot_Firewall/… including an example.

– Lenniey
13 hours ago






For tcp ack on Hetzner it's right there on their homepage: wiki.hetzner.de/index.php/Robot_Firewall/… including an example.

– Lenniey
13 hours ago











1 Answer
1






active

oldest

votes


















4














Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.



There is a website dedicated to argue that ICMP should not be blocked.



ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.



These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962412%2fstandard-ports-for-web-server%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    4














    Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.



    There is a website dedicated to argue that ICMP should not be blocked.



    ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.



    These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.






    share|improve this answer



























      4














      Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.



      There is a website dedicated to argue that ICMP should not be blocked.



      ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.



      These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.






      share|improve this answer

























        4












        4








        4







        Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.



        There is a website dedicated to argue that ICMP should not be blocked.



        ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.



        These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.






        share|improve this answer













        Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.



        There is a website dedicated to argue that ICMP should not be blocked.



        ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.



        These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 13 hours ago









        Henrik PingelHenrik Pingel

        4,60021530




        4,60021530



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962412%2fstandard-ports-for-web-server%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to make RAID controller rescan devices The 2019 Stack Overflow Developer Survey Results Are InLSI MegaRAID SAS 9261-8i: Disk isn't recognized after replacementHow to monitor the hard disk status behind Dell PERC H710 Raid Controller with CentOS 6?LSI MegaRAID - Recreate missing RAID 1 arrayext. 2-bay USB-Drive with RAID: btrfs RAID vs built-in RAIDInvalid SAS topologyDoes enabling JBOD mode on LSI based controllers affect existing logical disks/arrays?Why is there a shift between the WWN reported from the controller and the Linux system?Optimal RAID 6+0 Setup for 40+ 4TB DisksAccidental SAS cable removal

            Image
            Is "plugging out" electronic devices an American expression? Does a dangling wire really electrocute me if I'm standing in water? Adding labels to a table: columns and rows Spanish for "widget" Landlord wants to switch my lease to a "Land contract" to "get back at the city" Lethal sonic weapons On the insanity of kings as an argument against monarchy Is there a general name for the setup in which payoffs are not known exactly but players try to influence each other's perception of the payoffs? How long do I have to send my income tax payment to the IRS? Geography at the pixel level Can a zener diode with a higher power dissipation be used in place of the original one in an audio amplifier? How can I make payments on the Internet without leaving a money trail? What can other administrators access on my machine? Understanding the implication of what "well-defined" means for the operation in quotient group
            Read more

            Куамањотепек (Чилапа де Алварез) Садржај Становништво Види још Референце Спољашње везе Мени за навигацију17°19′47″N 99°1′51″W / 17.32972° СГШ; 99.03083° ЗГД / 17.32972; -99.0308317°19′47″N 99°1′51″W / 17.32972° СГШ; 99.03083° ЗГД / 17.32972; -99.030838877656„Instituto Nacional de Estadística y Geografía”„The GeoNames geographical database”Мексичка насељапроширитиуу

            Image
            Насеља у општини Чилапа де Алварез (Гереро) шп.МексикуГерероопштиниЧилапа де Алварезнадморској висини2010 (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003Eсакријu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="sr" dir="ltr"u003Eu003Cdiv class="noticebanner"u003Eu003Cdiv class="plainlinks" style="background-image: -moz-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: -o-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: -webkit-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: linear-gradient(to bottom, #fefefe, #fefefe, #f0f0f0);; -moz-border-radius: 10px; -webkit-border-rad
            Read more

            Can the Right Ascension and Argument of Perigee of a spacecraft's orbit keep varying by themselves with time? The 2019 Stack Overflow Developer Survey Results Are InHow is the altitude of a satellite defined, given that the Earth is not spherical?Why do satellites appear to move faster when overhead and slower closer to the horizon?For the mathematical relationship between J2 (km^5/s^2) and dimensionless J2 - which one is derived from the other?Why is Nodal precession affected by the rotational period of the planet?Why is it so difficult to predict the exact reentry location and time of a very low earth orbit object?Why are low earth orbit satellites not visible from the same place all the time?Perifocal coordinates and the orbit equationHow feasible is the Moonspike mission?What was the typical perigee after a shuttle de-orbit burn?I am having trouble calculating my classic orbital elements and am at a loss on where to lookAm I supposed to modify the gravitational constant with scale and why do fps & time scale changes cause my orbit to break?How Local time of a sun synchronous orbit is related to Right ascension of ascending node?What is wrong with my orbit sim equations? How can I fix them?How to obtain the initial positions and velocities of an inclined orbit?

            Image
            Why is this recursive code so slow? Button changing its text & action. Good or terrible? What do I do when my TA workload is more than expected? What is the most efficient way to store a numeric range? Why are there uneven bright areas in this photo of black hole? Why can't wing-mounted spoilers be used to steepen approaches? What aspect of planet earth must be changed to prevent the industrial revolution? Deal with toxic manager when you can't quit Single author papers against my advisor's will? Did any laptop computers have a built-in 5 1/4 inch floppy drive? How can I add encounters in the Lost Mine of Phandelver campaign without giving PCs too much XP? How many cones with angle theta can I pack into the unit sphere? Why did Peik say, "I'm not an animal"? How do I free up internal storage if I don't have any apps downloaded? How to read αἱμύλιος or when to aspirate Question on an engine pulling a train Why can't d
            Read more