what connections does a server need?

As a learning process, I'm trying to secure my home server. I've done all
of the 'normal' stuff - it's running only those things it needs, it's
behind a reasonably tight firewall, etc.

The firewall port-forwards certain requests: www, imap, vtun (corporate
VPN), rsync, smtp.

The firewall currently allows all outgoing connections; I'd like to change
that and limit the outgoing connections the server can make. Since the
server should never be used by a real person to initiate connections to
the outside except for regular maintenance, all connections should be
known.

So... what does it need to do its job?

DNS - UDP 53.
ICMP - which ones?
ntp - UDP 123/TCP 123.
passive ftp??? - (How does clamav get its updates?)
http - same as above, plus yum/apt-get, limit to specific hosts in
yum.conf

Any others? Since this server is live, I really don't want to disrupt
services too much.

From past experience, icmp is the big headache. I've not found a good
reference to tell me which ones to block and which ones to let through.

Any good recent references? My copy of 'Building internet firewalls' is
pretty dated these days....

Captain Dondo <(E-Mail Removed)> said:
>As a learning process, I'm trying to secure my home server. I've done all
>of the 'normal' stuff - it's running only those things it needs, it's
>behind a reasonably tight firewall, etc.
....
>The firewall currently allows all outgoing connections; I'd like to change
>that and limit the outgoing connections the server can make.
....
>From past experience, icmp is the big headache. I've not found a good
>reference to tell me which ones to block and which ones to let through.

I'd say that you want to allow with the stateful mechanism packets that
have state of 'RELATED,ESTABLISHED'. This will allow appropriate
connection-handling ICMP, without you having to worry about that.
And, if you did allow some ICMP subprotocol completely, there would be
the theoretical possibility for someone to misuse that protocol. The
R,E-rule limits even the ICMP packets to only those that really have
something to do with packets seen (and accepted) earlier.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)