My firewall alerts me that I am constantly being attacked through various local port. I already blocked some of them but I am affraid to block too many because maybe one of them is handling legitimate connections. when I look at that big "ports assignment" table that many sites offer, I only see vague descriptions like 1947-hlserver, 2460-ms-theater or 2890-CSPCLMULTI. Are these names of applications ? how should I know what to block and what not to ?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
blocking ports for inbound connections
- Thread starter stemy
- Start date
Think about what you need access to. Internet access for example is 80-http; FTP access 21-ftp; SMTP 25-smtp. Just a few examples (Do you get the naming convention of ports now? If not its the port number, and the protocol name)
What you should typically do is close everything, then open the ports you need. What kind of access do you or your company need to the internet?
PS - For your reading pleasure. IANA's officail list of port names/numbers.
________________________________________
Check out
What you should typically do is close everything, then open the ports you need. What kind of access do you or your company need to the internet?
PS - For your reading pleasure. IANA's officail list of port names/numbers.
________________________________________
Check out
If you are running a workstation, then there is probably no reason to allow incoming connections to any ports. If you are running a server, then you only need to open ports for the services that you wish to run, such as 25 for SMTP, 110 for POP, 143 for IMAP, 80 for HTTP, 443 for HTTPS. If you are doing Windows networking, you may need to open 135 - 139, but be careful about where you allow connections from. You do not want to expose these ports to the Internet at large, and probably want to filter down to the local net.
pansophic
pansophic
"You do not want to expose these ports to the Internet at large, and probably want to filter down to the local net."
Ports 135-139 should NEVER be open on an interface that faces the internet.
![[thumbsup2]](/data/assets/smilies/thumbsup2.gif "[thumbsup2] [thumbsup2]")
________________________________________
Check out
Ports 135-139 should NEVER be open on an interface that faces the internet.
________________________________________Check out
what type of firewall are you running ?
If you are running proxy/application firewalls (such as Norton Pers. Firewall, ZoneAlarm, ...), then you sometimes might get these warnings because of returning traffic...
Statefull inspection firewalls (such as BlackICE, ...) remember the state of existing connections...
If you block all alerts, you might be blocking legitimate traffic if you don't know where the traffic is really coming from ...
For example: was the inbound connection set up from outside to inside (initial SYN came in from the outside);
or is it part of traffic going out first (SYN came from inside, to outside)
Also, when your client computer connects to a server, it will connect to the server port, but it will use a local random free port higher than 1024
When your firewall alerts you, it presents you the port number. It tries to map the name of the application or protocol to the port... but in fact, it is a client port and not a server port, so it become confusing for the user.
My advice : use a stateful inspection firewall,
block ALL incoming traffic originated from the outside
and only allow outbound traffic, only on the ports you need
(http tcp/80, http tcp/443, ftp tcp/21 udp/20, dns udp/32 should be enough to surf on the internet. If you want to send & receive mail : pop3 tcp/110, smtp tcp/25)
good luck
P --------------------------------------------------------------------
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
If you are running proxy/application firewalls (such as Norton Pers. Firewall, ZoneAlarm, ...), then you sometimes might get these warnings because of returning traffic...
Statefull inspection firewalls (such as BlackICE, ...) remember the state of existing connections...
If you block all alerts, you might be blocking legitimate traffic if you don't know where the traffic is really coming from ...
For example: was the inbound connection set up from outside to inside (initial SYN came in from the outside);
or is it part of traffic going out first (SYN came from inside, to outside)
Also, when your client computer connects to a server, it will connect to the server port, but it will use a local random free port higher than 1024
When your firewall alerts you, it presents you the port number. It tries to map the name of the application or protocol to the port... but in fact, it is a client port and not a server port, so it become confusing for the user.
My advice : use a stateful inspection firewall,
block ALL incoming traffic originated from the outside
and only allow outbound traffic, only on the ports you need
(http tcp/80, http tcp/443, ftp tcp/21 udp/20, dns udp/32 should be enough to surf on the internet. If you want to send & receive mail : pop3 tcp/110, smtp tcp/25)
good luck
P --------------------------------------------------------------------
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
The purpose of a firewall is to block unsolicited incoming connections. Your "attacks" are more likely simply probes.
People run programs that scan thousands of computers, probing for open ports. Your firewall is telling you of these probes and if configured correctly will be blocking them as well.
When you first run a firewall it starts asking whether to let programs access the outside world. These are your outgoing connections.
grc.com has 2 tools "Leak Test" and "shieldsup" for testing your security. These will give you an idea how secure you are.
The lists of ports are for programs, services, protocols for lots of different operating systems and not just windows.
If you want to look up a what a port is for they are good.
There are ranges of ports usually higher numbered ones which are not for any specific application. Internet explorer for example grabs high ports for outgoing connections.
You can use a program like active ports for seeing what ports you have running internally.
The "local ip" column shows the interface that processes are active on.
0.0.0.0 and 127.0.0.1 are both internal interfaces.
hth ===============
Security Forums
People run programs that scan thousands of computers, probing for open ports. Your firewall is telling you of these probes and if configured correctly will be blocking them as well.
When you first run a firewall it starts asking whether to let programs access the outside world. These are your outgoing connections.
grc.com has 2 tools "Leak Test" and "shieldsup" for testing your security. These will give you an idea how secure you are.
The lists of ports are for programs, services, protocols for lots of different operating systems and not just windows.
If you want to look up a what a port is for they are good.
There are ranges of ports usually higher numbered ones which are not for any specific application. Internet explorer for example grabs high ports for outgoing connections.
You can use a program like active ports for seeing what ports you have running internally.
The "local ip" column shows the interface that processes are active on.
0.0.0.0 and 127.0.0.1 are both internal interfaces.
hth ===============
Security Forums
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question