How To Filter port 3389/tcp using PrivateFirewall rules/settings?

Discussion in 'other firewalls' started by chromicus, Oct 11, 2014.

  1. chromicus

    chromicus Guest

    I am runing Windows XP on some ancient Dell Optiplex machine, and I use PrivateFirewall for securing my system and filtering ports with best results so far, at least as far as a beginner like myself can get. Still, there is one port that PrivateFirewall cannot filter, it is closed but not filtered, and I have no idea how to adjust settings in PrivateFirewall to include this port in my firewall configuration.

    The port I want to filter is port 3389/tcp aka IANA registered for Microsoft WBT Server, used for Windows Remote Desktop and Remote Assistance connections (RDP - Remote Desktop Protocol). All the other ports are filtered by PrivateFirewall which added during the installation process a nice and quite useful Privacyware Filter Driver to my network configuration. My ISP provider forces us, its clients, to use RASMAN service and the RASPPPOE protocol, and I suspect this to be the cause for my failure in filtering port 3389/tcp. I cannot disable rasman service or rasauto service because these services along with telephony service are needed for the internet connection to work.

    Is there a solution out there for me to be able to filter this port 3389/tcp? I don't run a server, I am just an average home user, and it is not imperative to find a solution to this problem but I don't mind learning new things especially when it comes to firewalls and network security which are topics way out of my league.
     
  2. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    You say it's closed but not filtered.
    I may be thick but why filter a closed port?
    I fail to see the need.
     
  3. chromicus

    chromicus Guest

    This is the result of a free security audit performed on speedguide.net where I learnt that ports which appear under category CLOSED "respond to SG security scan, however appear to be closed. This state offers medium security. It still reveals that your system is up, and might provide some additional fingerprinting information to potential intruders."

    SG Security Scan

    Scanning xx.xxx.xxx.xxx (xx.xxx.xxx.xxx):

    Not shown: 52 filtered ports, 31 open/filtered ports

    Closed ports: 3389/tcp closed ms-term-serv

    Total scanned ports: 84
    Open ports: 0
    Closed ports: 1
    Filtered ports: 83


    Previous to this scan I performed another scan on SG website without any firewall present on my system which revealed 1 open port (windows time service related), around 70 closed ports and only 6 filtered ports. To deal with that open port I simply stopped the service from Device Manager, and it didn't show as open any longer. It was closed because I stopped windows time service.

    After installing PrivateFirewall and adjusting settings for my home profile, most ports showed as filtered because PrivateFirewall claims to be able to filter ports ranging from, I don't know, 1024 to 65535. After that, SG security scan showed 83 filtered ports and only 1 closed port (port 3389/tcp). I was satisfied with this new and unexpected result but I had no idea why port 3389/tcp appeared as closed instead of filtered like the rest of the other ports, and why the firewall was unable to filter this particular port too.

    I posted a question in here hoping to find some answer or workaround to filter port 3389/tcp using PrivateFirewall or editing some system file. My question goes for other ports too that might appear in the future as closed or open, and not only for port 3389/tcp. How do I manually filter a specific port once I have a firewall present on my system ... that would be the question.
     
  4. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    I have not used PF since a while, but there must a way to add a rule to filter a specific port.
    Are you behind a NAT router?
    Did you check the User Guide?
    http://www.privacyware.com/PF_User_Guide.pdf

    ---------------------------------------------------------------------------------------
    Application Rule Setting
    Privatefirewall provides the capability to manually add, remove, or modify rules for any installed application. Hackers
    can disguise a program as a known application resource to gain unauthorized access. Privatefirewall detects
    the resources within each application that hackers may specifically use and enables those resources to block any disguised
    resources or hack attempts. Right-click on any application within the Applications Page and the 'application pop-up'
    menu will appear (see left).

    Allow/Filter/Deny Traffic
    Internet Traffic related to any application can be adjusted by selecting 'Set all rules to Allow/Filter/Deny Traffic' from the application pop
    -up menu. The default setting for any set of rules related to an application is 'Filter Traffic'. However, these rules can be disabled by
    selecting either 'Allow' or 'Deny' Traffic. This may be appropriate when temporary access or restriction is desired. Additionally, the rules
    that were created for that application will remain in memory and will still be applied if 'Filter Traffic' is re-selected.

    Remove application
    The application can be removed from the Application List by selecting 'Remove Application' from the application pop-up menu.
    This option will remove any protection that was applied to the selected application.

    Add new application
    A new application can be manually added by selecting 'Add New Application' from the application pop-up menu.
    Once this is selected, the executable file that corresponds to the desired application must be selected. In addition,
    rules must be set manually for the application in order for Privatefirewall to apply a ny filtering or protection.

    Advanced Applications settings
    The Advanced Applications settings screen lists applications that have attempted to access the Internet or network through another trusted application. This is a method commonly used by hackers to attempt to gain unauthorized access.

    Restore default settings
    Restore Default Settings will restore all default applications to the Application List. The option only pertains to applications that are
    pre-loaded by Privatefirewall. The option will be grayed-out for all other applications.

    Customize Rules
    Application rules can be customized by selecting 'Customize Rules...' from the application pop-up menu.
    When selected, Privatefirewall lists the Program name, program executable file name, program version number, and a listing of
    rules for that application (see below).
    Rules can be added, removed, or modified by right-clicking on any rule.

    Move Order of Rule
    Using the Up and Down buttons will allow the order of the application rule to be prioritized and processed as desired.

    Navigating through listed Applications
    Navigation to the other listed Applications is possible by selecting the Prev (ious) or Next buttons.

    Remove application rule
    An application rule can be removed from the Application List by highlighting an application rule and selecting the Remove button.

    Add New or Modify Existing Application Rules
    The Add/Edit Application rule dialog provides various configuration options that enable even IP Address specific application level communication control. Using this feature, it is possible to permit application access to/from only certain IP addresses.
    Examples:
    1)
    Restricting ftp.exe: Remove both L and H zones. Check “Always use this rule for these remote IPs”. Add 192.168.1.1 IP address.
    In this way,ftp.exe will only be able to access the 192.168.1.1 IP address. All others will be blocked.
    2)
    Restricting RDP: From System services, select the Enabled rules for RDP. Remove the L and H zones. Check “Always use this rule for
    these remote IPs”. Add the IP Addresses for which connection to/from your computer should be allowed.
    For all other IPs, the RDP port will be completely stealth.
    In most cases where a custom rule is created for a particular type of activity/application/IP address, the H and L security levels
    would likely be unchecked, but there are scenarios where one might use a combination - for example, you might check the
    L security level to manage LAN communication one way while FTP access via specific IP address only - so here both the L security level and the Always use this rule for these remote IPs would be checked.

    Privatefirewall provides flexibility in how a rulemight be applied:
    Use specified rule for -
    1) Any hosts in H zone if checked
    2) Any hosts in L zone if checked
    3) Listed IPs if checked

    Port-specific Application Control
    Port-specific rules can be defined for any Application by using the available port ranges and ports listed in the drop down fields or by manually typing single or multiple ports numbers (i.e. either single port, like 101 or or single range like 101-204).

    Unconditional Port Control
    - Create port-specific (or range) Deny Rule for System services (Applications, System
    services, Add new,...).
    - Remove any conflicting Allow rules for specific applications (they will override the Systemservices port block).
    Current default Application rule logic works as follows:
    1) check application rules; if such rule exists (to deny or allow traffic) no further processing is performed;
    2) check System services application rules and exercise where application-specific rules do not conflict/take precedence.

    ---------------------------------------------------------------------------------------

    In your case, you have to select System Services I think.

    Hope this helps,
    François
     
  5. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
  6. chromicus

    chromicus Guest



    Thank you for your suggestions. You made me think, and I almost got a serious headache because of it :), but it proved to be productive in the end. You were totally right about changing firewall settings specifically for the System Services. I simply unchecked the RDP protocol which was present in my firewall configuration, and went to the SG website after that for another security scan.

    No more closed port after unchecking that nasty RDP service from firewall settings, all is fine now, I mean I have 84 out of 84 ports filtered, which is pretty much the same result I get when booting into Xubuntu 12.04.5, my other operating system installed on this machine.

    When using Linux, managing network security is definitely much easier and more reliable than when dealing with Windows. They have complete tutorials and tools for almost anything you need in Linux. Windows is tricky because it uses a lot of processes, and you can't always tell which one is essential and which one is not.

    So, to conclude, you were right to send me to the official PrivateFirewall User Guide to look for a solution for my problem in there. But getting an answer from a more experienced user is much better because reading a guide can be boring and confusing, whilst dealing with a living person can be very different, both creative and productive.

    Now I have to figure it out how to mark your answer as the one I accept for my question in here, on Wilders forums. I hope I won't need to ask you again about this one too.

    Thanks again and my best regards to you
     
  7. chromicus

    chromicus Guest


    Ok, I got the general idea, someone who really knows what he's doing can track me or even harm my system no matter what, with or without my ports in "stealth" mode. I enjoyed reading the first article, the one from insanitybit.com, because it is followed by a dozen comments where the author is getting the finger for his "radical" views about how difficult is to prevent an intrusion no matter if you have stealth or filtered ports or justs closed ports. Still, the man has a point, and I believe he is right.

    But, coming back to my actual question, Fblais helped me find a working solution by suggesting to adjust some settings in my firewall configuration. I simply unchecked the RDP protocol thus allowing the firewall to filter all my ports after that, including the 3389/tcp port. No more closed ports on SG website security scan, all showed as filtered or, like they say in those forum threads, in stealth mode :).

    I also run Xubuntu on my machine but in there I never had such issues. Managing the firewall and securing the network and Internet connection was much easier. Windows is more tricky because I am still learning how to properly use a decent firewall for Windows, and which processes and apps to filter/block, and which ones to allow.

    Thanks for the tips, and believe me, I am not paranoid when it comes to network security, I am just trying to learn more about all this stuff because you never know when it may prove to be useful, maybe for securing some tiny server or a workstation and so on. And today I managed to get some useful info, and it only took a few hours to get it which is quite a record considering that I've been looking for a solution for my problem for about a week with no success until now.
     
    Last edited by a moderator: Oct 11, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.