block ports permanently

Discussion in 'other firewalls' started by ajap, Aug 23, 2009.

Thread Status:
Not open for further replies.
  1. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    Hi all, could someone tell me which incoming or outgoing ports should always be blocked and the corresponding protocol?

    thanks for the help
     
  2. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    You should block any port that you aren't using.
     
  3. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
  4. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Many Ports can be closed.

    For example,
    If you were not LAN's user,Port 135,137-139 can be closed.Because they are used by NetBios in LAN.And Port 67-68 can be closed,because they are used by DHCP in LAN;) .
     
  5. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    thanks all for reply, i'm going to be more explicit
    I asked that because ghostwall has a big hole in the output protection and i want to be protected as much as possible. by other hand, is seconfig xp the outgoing ports protection of windows firewall ? if it's true, then i would like uninstall ghostwall and install seconfig xp for use it with the Windows firewall. What do you think of that? will i be better protected that way ?
    regards
     
  6. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    In my mind,Windows Firewall doesn't have outgoing ports protection.It only limits applications' outbound.

    Ghostwall firewall can be set many rules.So maybe Ghostwall firewall with good network rulesetting is enough.
     
  7. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Seconfig xp is a third party tool to close some ports / and shut down some windows services that have been exploited by malware in the past.

    I posted questions about it here before.
    I don't use it because I don't understand it.

    As far as I could tell , windows FW in XP SP 2 and onwards closed most of the ports involved.
    I used a list from Blackspear ( google it ) to stop other MS services.
    Again AFAIK it covered the same area's as seconfig xp.

    The benefit of this is :
    1) If say I can't print , I can at least google Blackspear again , and see what printing related services I've stopped.
    2) If my system doesn't work in some other way, I don't have loads of extra security programs to check.

    I know its only one extra program and is probably fine , but I've found that this approach works for me.
     
  8. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    hi cqpreson, can you help me definig those rules ? or can you tell me, at least, the protocols(incoming-outgoing, both, tcp-udp-etc), remote/local ports, and i write the rules ?
    thanks in advance
    thanks for reply joeythedude
     
  9. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Hi ajap,here is some information about rules.

    Direction Protocol LocalPort RemetePort Service
    outbound/inbound UDP 137-139 137-139 NetBios
    outbound/inbound UDP all 1900 UPnP
    outbound/inbound UDP all 445 LAN Printing Share
    outbound/inbound UDP 67-68 67-68 DHCP

    The ports above is used in LAN.If you are adsl,you could stop service or close those ports:) .


    Regards
    cqpreson
     
  10. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    Hello,
    Blocking the port used by certain risky service that you dont use is enough, or you have ~1000 ports to block.
    Firewalls often come with pre-defined rules concerning port and ip address. Normally, just enabling and disabling these rules is enough.(if yours does have them, why not try another fp).
     
  11. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    hi bensec, cqpreson, i'm using cable modem conection and ghostwall firewall. i use it because is very light (1.65 mb disk space and up to 2 mb running -i'm short of memory, 256 mb ram) and it's doing a good job for me but it hasn´t outbound rules, i want to define them to be protected as much as posible

    thanks in advance
     
  12. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    You can create outbound rules to block unneeded outbound comms in Ghostwall (or almost any firewall) very easily. But why would you want to block this with a firewall? I was always of the opinion that it is better to disable OS features you don't use than to block their network connections - while they are still running unnecessarily (eating other h/w resources i.e.).

    You can do this manually, but suggested SEconfig and many similar tools will do that too. Caution though, as you would need to know exactly what you are doing and why.

    This showed how to block LAN, uPNP and DHCP. However, it is up to the OP to decide whether he/she needs to block them or not.

    I wonder why you say this. o_O
     
  13. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    hi seer, thanks you for reply
    are you telling me it's better use seconfig than define outbound block rules ? ok, that could be better but which windows features should i disable ?
    and has seconfig run once or what?

    regards
     
  14. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    It makes more sense to me to stop the service than to filter it.

    seconfig and such are pretty much safe as you can revert whatever changes you made if something breaks. But I cannot possibly remote-advise on what should be disabled on your specific system. Example: uPNP yes, perhaps this should be off, but you would then need to know how to manually port-forward for server apps. LAN as well, but you would have to know how to reenable if it need comes. With DHCP disabled, you would need to fix your, subnet and gateway IPs. So whatever you plan to change, have some read on it first.
     
  15. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    hi seer, it seems that it should be done by an expert and I am not
    at simple sight i think it's better for me filter ports. I already have some rules to block them
    if you want to see the rules let me know.
    thanks for your help.
     
  16. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    By all means, if you are uncertain about your rules, post screenshots, then I (and others) will comment.
     
  17. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    Last edited: Aug 27, 2009
  18. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  19. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Too many rules imo.
    Why the need to block these? -

    UDP 88 - Kerberos server authentication
    TCP/UDP 389 - Active Directory for LAN servers
    TCP 53 - name lookups between servers
    TCP 512/514 - remote client

    They are not opened on default Windows installation, so if you are not on a LAN that provides these services, delete the rules.

    There are ports opened though, by default, localy and remotely, that you may wish to block -

    UDP 1900 remote - uPNP, automatically opens ports on a gateway for server apps
    TCP 135 local - RPC end-point mapper, communicates with RPC clients in a server (LAN) environment.

    You can always use a tool such as TCPview to check what is still listening on your system and create rules accordingly.
     
  20. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    hi seer, i'm on a home network. i took those rules from internet, a web page of naty indicating how to configurate kerios firewall and what should be block.
    I downloaded tcpview and I'm giving it a look
    regards
     
  21. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Exactly how many PCs are on this network? Do you use file-sharing? Any remote printers?

    Could you please provide a link so I can take a look at these recommendations?

    ~Removed Quote and Seer's Comment about the Quote as per Policy - Seer is not at fault, Poster was~
     
    Last edited by a moderator: Aug 27, 2009
  22. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
  23. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
  24. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    This is a very old link deling with Win98 and Win2000 networking. Almost all of the vulnerabilities that existed back then (variours worms used these ports) are patched by now in WinXP, so you really do not need the blocking rules I already quoted in my post #19.

    Here you need to block only things running but not used in your PC config. As you are on a home LAN with a single PC behind the gateway/router, these are the only ports I would recommend to filter -

    NetBIOS (ports 137, 138, 139), this will also stop Remote Registry
    SMB for file-sharing (port 445), stops also Remote Access
    telnet (port 23, if you feel the need to block OK, but not really necessary)

    Since you are not on a server-based LAN, I would also recommend to block local TCP port 135. It is not of security concern since it is a local comm, but why having unneeded comms running anyway?

    If you wish, you can also block uPNP (remote TCP 5000) and SSDP discovery (remote UDP 1900) but note that you will have to do a manual port-forward for any server app you use (torrent, emule).
    Searching_ _ _,

    your first link is usefull, in general, to know which ports/protocols are used by which services. But it is far from explaining what should be blocked in OP's case. More like it adds more to the confusion.

    Second link deals with inbound filtering based on TTL (Time-to-live). Since OP is using Ghostwall, which is a stateless firewall, and as such does not look in TCP headers beyond IP and port numbers, even if this thread is about inbound filtering, discussing TTL would be pointless.

    Cheers all,
     
  25. ajap

    ajap Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    42
    i'm more confused than before, i will do the following:
    i will add three outbound block rules: SMB for file-sharing (port 445), uPNP (remote TCP 5000) and SSDP discovery (remote UDP 1900).
    for incoming protocols, i'm not worried because i know they are protected.

    another thing that i have thought is write rules that only allow outgoing protocols for my trusted process and block the rest. i will use tcpview to do it

    thank you very much for all of you for helping me
    best regards
     
Loading...
Thread Status:
Not open for further replies.