Irtsgbr

One word riddle: Vowel in the middle

Time travel alters history but people keep saying nothing's changed

Is a "Democratic" Oligarchy-Style System Possible?

For what reasons would an animal species NOT cross a *horizontal* land bridge?

Why can Shazam fly?

Output the Arecibo Message

Why hard-Brexiteers don't insist on a hard border to prevent illegal immigration after Brexit?

How to support a colleague who finds meetings extremely tiring?

Falsification in Math vs Science

Why did Acorn's A3000 have red function keys?

Is "plugging out" electronic devices an American expression?

Does a dangling wire really electrocute me if I'm standing in water?

Does the shape of a die affect the probability of a number being rolled?

Have you ever entered Singapore using a different passport or name?

Can a flute soloist sit?

Why isn't the circumferential light around the M87 black hole's event horizon symmetric?

Lightning Grid - Columns and Rows?

Is an up-to-date browser secure on an out-of-date OS?

Why do UK politicians seemingly ignore opinion polls on Brexit?

What is the closest word meaning "respect for time / mindful"

When should I buy a clipper card after flying to OAK?

The difference between dialogue marks

Are spiders unable to hurt humans, especially very small spiders?

What does ひと匙 mean in this manga and has it been used colloquially?

Standard ports for web server

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

I'm using Hetzner for a server which only needs 80/443 and 22 accessible to the outside world. When I use the Hetzner firewall template, it also adds:

• protocol icmp, which I think is for ping


• ports 32768-65535 are open with a tcp flag of 'ack'

AWS seems to close down everything, including ping.

• Is there any reason to have ports 32768-65535 open and what does 'ack' mean ?


• Should protocol icmp be disallowed?

The Nginx server is running https and 80 is redirected to 443. Is it best practice to leave 80 open and redirecting to 443, in case traffic comes in on 80, or should 80 also be closed?

firewall hetzner

share|improve this question

asked 13 hours ago

ardochhighardochhigh

1221112

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  For tcp ack on Hetzner it's right there on their homepage: wiki.hetzner.de/index.php/Robot_Firewall/… including an example.
  
  – Lenniey
  13 hours ago
  
  

  
  
  
  

add a comment | 

1

I'm using Hetzner for a server which only needs 80/443 and 22 accessible to the outside world. When I use the Hetzner firewall template, it also adds:

• protocol icmp, which I think is for ping


• ports 32768-65535 are open with a tcp flag of 'ack'

AWS seems to close down everything, including ping.

• Is there any reason to have ports 32768-65535 open and what does 'ack' mean ?


• Should protocol icmp be disallowed?

The Nginx server is running https and 80 is redirected to 443. Is it best practice to leave 80 open and redirecting to 443, in case traffic comes in on 80, or should 80 also be closed?

firewall hetzner

share|improve this question

asked 13 hours ago

ardochhighardochhigh

1221112

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  For tcp ack on Hetzner it's right there on their homepage: wiki.hetzner.de/index.php/Robot_Firewall/… including an example.
  
  – Lenniey
  13 hours ago
  
  

  
  
  
  

add a comment | 

I'm using Hetzner for a server which only needs 80/443 and 22 accessible to the outside world. When I use the Hetzner firewall template, it also adds:

• protocol icmp, which I think is for ping


• ports 32768-65535 are open with a tcp flag of 'ack'

AWS seems to close down everything, including ping.

• Is there any reason to have ports 32768-65535 open and what does 'ack' mean ?


• Should protocol icmp be disallowed?

The Nginx server is running https and 80 is redirected to 443. Is it best practice to leave 80 open and redirecting to 443, in case traffic comes in on 80, or should 80 also be closed?

firewall hetzner

share|improve this question

asked 13 hours ago

ardochhighardochhigh

1221112

share|improve this question

asked 13 hours ago

ardochhighardochhigh

1221112

share|improve this question

asked 13 hours ago

ardochhighardochhigh

1221112

asked 13 hours ago

ardochhighardochhigh

1221112

asked 13 hours ago

ardochhighardochhigh

1221112

1 Answer
1

active

oldest

votes

4

Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.

There is a website dedicated to argue that ICMP should not be blocked.

ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.

These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.

share|improve this answer

answered 13 hours ago

Henrik PingelHenrik Pingel

4,60021530

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962412%2fstandard-ports-for-web-server%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

4

Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.

There is a website dedicated to argue that ICMP should not be blocked.

ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.

These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.

share|improve this answer

answered 13 hours ago

Henrik PingelHenrik Pingel

4,60021530

add a comment | 

4

Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.

There is a website dedicated to argue that ICMP should not be blocked.

ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.

These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.

share|improve this answer

answered 13 hours ago

Henrik PingelHenrik Pingel

4,60021530

add a comment | 

Port 80: Port 80 needs to be open so that the Nginx can redirect to port 443. If you block port 80 clients trying to connect via http will time out.

There is a website dedicated to argue that ICMP should not be blocked.

ACK is the last step in the three-way handshake TCP uses to establish a connection. The port range 32768-65535 is for ephemeral ports. So that firewall rule should not be touched.

These rules look different from AWS security group rules because AWS security group rule are set for inbound or outbound traffic.

share|improve this answer

answered 13 hours ago

Henrik PingelHenrik Pingel

4,60021530

share|improve this answer

answered 13 hours ago

Henrik PingelHenrik Pingel

4,60021530

answered 13 hours ago

Henrik PingelHenrik Pingel

4,60021530

answered 13 hours ago

Henrik PingelHenrik Pingel

4,60021530