Opening firewall to incoming port 443

Question

I recently set up the ufw firewall on a Linux machine so that outgoing connections are allowed, incoming connections are denied, and denied connections are logged. This seems to work fine for most cases, but I see many denied connections that are incoming on port 443 (many with IPs associated with Facebook).

I can open that port to incoming connections, but first wanted to ask what these could be. Shouldn't HTTPS requests be initiated by me and be treated as outbound, not inbound connections? Is it typical to open incoming port 443 on consumer firewalls?

An example log entry:

[UFW BLOCK] IN=wlan0 OUT= MAC=XXX SRC=66.220.151.87 DST=192.168.1.32 LEN=473 TOS=0x00 PREC=0x00 TTL=83 ID=59450 DF PROTO=TCP SPT=443 DPT=58530 WINDOW=33 RES=0x00 ACK PSH URGP=0

Answer 1

The packets you are seeing are response packets:

PROTO=TCP SPT=443 DPT=58530

Note the SPT - source port - is 443. When you are accessing a remote https site, you are sending packets with a DPT - destination port - of 443, any replies you get from that site will originate from their IP and from source port 443.

By far and away the most common reason for seeing these packets is after you close a session to the remote site, and your firewall observes this and clears the session from its table of active connections. Sometime due to timing, or poor implementation of TCP at the remote end, or duplicate packets, or loadbalancers sending the same reply, you can get extra packets for a session after the close sequence has completed.

Your firewall doesn't have an active session for these packets to match any more, and so they are dropped, and logged as you are seeing them.

They can be safely ignored. Do not adjust your firewall to permit these packets, as it opens unnecessary holes in your security.