Re: How to close the unnecessary Ports

From: Winged (Winged_at_nofollow.com)
Date: 10/02/05 

Date: Sat, 01 Oct 2005 18:10:50 -0500

Nick wrote:
> Hi
>
> As there are over 65000 ports in the TCP/IP stack, which ones are the most
> necessary ports for a homeuser and how to close the rest of the ports? My PC
> is connected to internet via a router and a cable modem. I run ZA firewall
> and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a ports link I
> found online:
> http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
>
> Thanks in advance!
> Nick
>
>

There are two, (generally speaking) types of port ranges on your
computer. The server port range is generally considered ports below
1024. Most home users (generally) do not need to receive inbound
connections from the Internet over these ports unless they are hosting a
server.

The ephemeral ports 1024-65565 are considered (generally) response ports.

TCP/IPv4 connection consists of two endpoints, and each endpoint
consists of an IP address and a port number. Therefore, when a client
user connects to a server computer, an established connection can be
thought of as the 4-tuple of (server IP, server port, client IP, client
port). Usually three of the four are readily known -- client machine
uses its own IP address and when connecting to a remote service, the
server machine's IP address and service port number are required.

What is not immediately evident is that when a connection is established
that the client side of the connection uses a port number. Unless a
client program explicitly requests a specific port number, the port
number used is an ephemeral port number. Ephemeral ports are temporary
ports assigned by a machine's IP stack, and are assigned from a
designated range of ports for this purpose. When the connection
terminates, the ephemeral port is available for reuse, although most IP
stacks won't reuse that port number until the entire pool of ephemeral
ports have been used. So, if the client program reconnects, it will be
assigned a different ephemeral port number for its side of the new
connection.

Similarly, for UDP/IP, when a datagram is sent by a client from an
unbound port number, an ephemeral port number is assigned automatically
so the receiving end can reply to the sender.

I assume you are refer to MS systems as port restrictions on Nix systems
are pretty straight forward.

To restrict what ephemeral ports windows will use to listen on:

http://support.microsoft.com/default.aspx?scid=kb;en-us;300083

The server ports typically should be completely blocked from Internet
exposure on most home systems. Additionally running services should be
reduced to a bare minimum of what is required on the system.

A good list of service definitions and what you need is here:

http://www.ss64.com/ntsyntax/services.html
http://inside.bard.edu/~winig/BlackViper.doc

A final step is needed. You should block all ports at your firewall not
required. Most home users will want to block all inbound connections
below 1024. Additionally you should only allow inbound connections to
those ports you set following the MS procedure above, and block other
communication.

Without knowing a bit more about your firewall choices or your explicit
requirements it is a bit difficult to provide precise guidance.

Hopefully you will find something here that has answered your question.

Winged

Relevant Pages

  • Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
    ... That's the problem tunneling (port forwarding) solves. ... >>can't get past the client firewall. ... > I don't understand why the server would be making the ... server initiates another connection to the client -- in this ...
    (Debian-User)
  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... So if 3389 needs forwarded on the client end too then that is what the ... Hopefully next week I can attempt a connection while my ISP watches the ...
    (microsoft.public.windows.server.sbs)
  • Re: callbacks in TAO
    ... most firewalls will allow you to poke a hole in it by port number and then redirect the request to some internal server with a given ... port and internal IP address. ... In this case the -ORBListenEndpoints command line argument is useful on the client side. ... client-to-server connection as its callback connection, but I would hope that bidirectional IIOP would work in this case...never ...
    (comp.object.corba)
  • Re: callbacks in TAO
    ... Most firewalls do not restrict access by inbound port number. ... Lets say your client application terminates while it still has the connection open. ... requests at the same time, the second thread will open a new connection if the existing connection is busy. ...
    (comp.object.corba)
  • Re: callbacks in TAO
    ... have you tried just specifying the port range on the client side ORB? ... The portspan option can be used tell the server to select any port from a narrow band, which allows a collection of servers to share a limited group of addresses. ... Part of the Bidir connection negotiation is the client supplies the callback address as an alias. ...
    (comp.object.corba)