Which INPUT/OUTPUT which TCP ports are needed to be externally open for CWP to be accessible/working?
Chain INPUT (policy DROP) TCP NEW
ACCEPT 2031 (https access to CWP)
That leaves tcp ports 2030 (http access to CWP),2082,2083,2086,2087,2095,2096 listening externally. Is that exposure really necessary or can the list be further curtailed/mitigated?
+++
Chain OUTPUT (policy DROP) TCP NEW
ACCEPT 80 443
Is there any need for tcp ports 2030,2031,2082,2083,2086,2087,2095,2096 to initiate a NEW connection or can those ports not be removed?