Which ports does the default firewall allow on Fedora Workstation and Fedora Server?

Question

What incoming TCP and UDP connections are permitted, by the default firewall policy of Fedora Workstation, and Fedora Server?

I am interested in the current version, Fedora 28.

Answer 1

Look at the default zone definitions in /usr/lib/firewalld/zones/, and cross-reference them against /usr/lib/firewalld/services/.

FedoraWorkstation.xml

Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.

  <service name="dhcpv6-client"/> <!-- udp 546 from fe80::/64 only -->
  <service name="ssh"/>           <!-- tcp 22 -->
  <service name="samba-client"/>  <!-- udp 137,138, plus nf_conntrack_netbios_ns -->
  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>

FedoraServer.xml

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

  <service name="ssh"/>           <!-- tcp 22 -->
  <service name="dhcpv6-client"/> <!-- udp 546 from fe80::/64 only -->
  <service name="cockpit"/>       <!-- tcp 9090 -->

("cockpit" is implemented as a web server running on TCP port 9090. It uses HTTPS and password authentication. There is an alternative option to use SSH and SSH key authentication as well).

Does it allow MDNS / avahi?

This is slightly confusing when you look at the package. The package includes a patch to enable MDNS by default, but it does not touch either of these files. Nevertheless, MDNS will be allowed on Fedora Workstation. The standard MDNS port is 5353, which is in the "high ports" that Fedora Workstation allows (1025-65535).

The MDNS patch pre-dates FedoraWorkstation.xml and FedoraServer.xml in Fedora 21 (2014-12-09). This was the first release of Fedora to be split into Workstation and Server editions. In Fedora 20, the default zone definition was public.xml and it allowed MDNS.

Fedora 21 and its Workstation firewall -- LWN.net, 2014-12-17

https://src.fedoraproject.org/rpms/firewalld/tree/f28

Date: Mon, 6 Aug 2012 10:01:09 +0200
Subject: [PATCH] Make MDNS work in all but the most restrictive zones

• MDNS is a discovery protocol, and much like DNS or DHCP should
  be available for the network to function as expected.

• Avahi (the main MDNS) implementation has taken steps to make sure
  no private information is published by default.

• See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault