How to close the unnecessary Ports

Discussion in 'Computer Security' started by Nick, Oct 1, 2005.

  1. Nick

    Nick Guest

    Hi

    As there are over 65000 ports in the TCP/IP stack, which ones are the most
    necessary ports for a homeuser and how to close the rest of the ports? My PC
    is connected to internet via a router and a cable modem. I run ZA firewall
    and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a ports link I
    found online:
    http://www.iss.net/security_center/advice/Exploits/Ports/default.htm

    Thanks in advance!
    Nick
     
    Nick, Oct 1, 2005
    #1
    1. Advertising

  2. Nick

    Jim Watt Guest

    On Sat, 01 Oct 2005 20:29:33 GMT, "Nick" <> wrote:

    >Hi
    >
    >As there are over 65000 ports in the TCP/IP stack, which ones are the most
    >necessary ports for a homeuser and how to close the rest of the ports? My PC
    >is connected to internet via a router and a cable modem. I run ZA firewall
    >and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a ports link I
    >found online:
    >http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
    >
    >Thanks in advance!
    >Nick


    Ports are only opened by processes running on your computer, so
    if you see any you need to know why they are there.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Oct 1, 2005
    #2
    1. Advertising

  3. Nick

    Winged Guest

    Nick wrote:
    > Hi
    >
    > As there are over 65000 ports in the TCP/IP stack, which ones are the most
    > necessary ports for a homeuser and how to close the rest of the ports? My PC
    > is connected to internet via a router and a cable modem. I run ZA firewall
    > and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a ports link I
    > found online:
    > http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
    >
    > Thanks in advance!
    > Nick
    >
    >


    There are two, (generally speaking) types of port ranges on your
    computer. The server port range is generally considered ports below
    1024. Most home users (generally) do not need to receive inbound
    connections from the Internet over these ports unless they are hosting a
    server.

    The ephemeral ports 1024-65565 are considered (generally) response ports.

    TCP/IPv4 connection consists of two endpoints, and each endpoint
    consists of an IP address and a port number. Therefore, when a client
    user connects to a server computer, an established connection can be
    thought of as the 4-tuple of (server IP, server port, client IP, client
    port). Usually three of the four are readily known -- client machine
    uses its own IP address and when connecting to a remote service, the
    server machine's IP address and service port number are required.

    What is not immediately evident is that when a connection is established
    that the client side of the connection uses a port number. Unless a
    client program explicitly requests a specific port number, the port
    number used is an ephemeral port number. Ephemeral ports are temporary
    ports assigned by a machine's IP stack, and are assigned from a
    designated range of ports for this purpose. When the connection
    terminates, the ephemeral port is available for reuse, although most IP
    stacks won't reuse that port number until the entire pool of ephemeral
    ports have been used. So, if the client program reconnects, it will be
    assigned a different ephemeral port number for its side of the new
    connection.

    Similarly, for UDP/IP, when a datagram is sent by a client from an
    unbound port number, an ephemeral port number is assigned automatically
    so the receiving end can reply to the sender.

    I assume you are refer to MS systems as port restrictions on Nix systems
    are pretty straight forward.

    To restrict what ephemeral ports windows will use to listen on:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;300083

    The server ports typically should be completely blocked from Internet
    exposure on most home systems. Additionally running services should be
    reduced to a bare minimum of what is required on the system.

    A good list of service definitions and what you need is here:

    http://www.ss64.com/ntsyntax/services.html
    http://inside.bard.edu/~winig/BlackViper.doc

    A final step is needed. You should block all ports at your firewall not
    required. Most home users will want to block all inbound connections
    below 1024. Additionally you should only allow inbound connections to
    those ports you set following the MS procedure above, and block other
    communication.

    Without knowing a bit more about your firewall choices or your explicit
    requirements it is a bit difficult to provide precise guidance.

    Hopefully you will find something here that has answered your question.

    Winged
     
    Winged, Oct 2, 2005
    #3
  4. "Winged" <> wrote in message
    news:55d39$433f17a1$18d6d959$...
    > Nick wrote:
    > > Hi
    > >
    > > As there are over 65000 ports in the TCP/IP stack, which ones are the

    most
    > > necessary ports for a homeuser and how to close the rest of the ports?


    <snip>

    > There are two, (generally speaking) types of port ranges on your
    > computer. The server port range is generally considered ports below
    > 1024. Most home users (generally) do not need to receive inbound
    > connections from the Internet over these ports unless they are hosting a
    > server.
    >
    > The ephemeral ports 1024-65565 are considered (generally) response ports.


    <snip>

    Not /entirely/ accurate - there are the well-known ports 1-1024 that require
    elevated privilege on *nix
    (http://www.codecutters.org/resources/knownports.html).

    And then there are the *Registered* ports (1025 and above) -
    http://www.codecutters.org/resources/regports.html

    A subset of this range is used as an ephemeral port if it isn't already
    taken by a running service (IP address and port should be unique)

    Windows filtering is built-in to the GUI - just select advanced IP
    properties on the NIC or IP that you wish to fiddle with. The one that
    everyone always forgets (I certainly did) is to make sure that you don't
    leak things that have a local IP address range. I think mine were
    DNS-related (haven't looked at this for five years or so)

    HTH

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Oct 2, 2005
    #4
  5. From: "Nick" <>

    | Hi
    |
    | As there are over 65000 ports in the TCP/IP stack, which ones are the most
    | necessary ports for a homeuser and how to close the rest of the ports? My PC
    | is connected to internet via a router and a cable modem. I run ZA firewall
    | and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a ports link I
    | found online:
    | http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
    |
    | Thanks in advance!
    | Nick
    |

    Hi Nick:

    The objective is to block ports that are open on the LAN side. Running NETSTAT -AN and/or
    TCPVIEW you can determine what open ports are "listening" for communication.

    So for example if you have a BootP-TFTP Daemon loaded on the LAN, you would want to block
    UDP ports 67 and 69.

    You don't need to look at all the 65536 (2^16) ports. Just the ports on the LAN side that
    are listening for communication.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Oct 2, 2005
    #5
  6. Nick

    Imhotep Guest

    Nick wrote:

    > Hi
    >
    > As there are over 65000 ports in the TCP/IP stack, which ones are the most
    > necessary ports for a homeuser and how to close the rest of the ports? My
    > PC is connected to internet via a router and a cable modem. I run ZA
    > firewall and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a
    > ports link I found online:
    > http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
    >
    > Thanks in advance!
    > Nick


    Hum. I assume you are running a hostbased firewall with no server ports
    since you said you are a "homeuser". I am not familiar with any of the
    WinFirewalls but I will assume it is statefull (it really is important to
    know whether it is a statefull or a packet filtering firewall as the
    configurations will be different) However, since most firewalls now-a-days
    are statefull or better your ZA firewall is probably *not* a packet
    filtering firewall (which is good because packet filter firewalls
    suck :) ).

    Now the next question. Do you have any *other* computers on your home LAN?
    If not then you can simply allow all outgoing (statefull) connections and
    deny all incoming (if you do have more than one home computer please reply
    back and we can talk about that). Now remember that your host based
    firewall is statefull so incoming data (ports) will be allowed to
    communicate with you provided you initialized the connection (started the
    connection). I works like this (Warning very, very basic description below)

    You are at home an open your browser and type the url for www.bbc.com:

    Your browser gets an open port in the defined ephemeral (basically client
    ports) range. Let say it is port 25,000 TCP. Next the PC sends a packet
    from your IP and your client port number 25000 going to the IP of
    www.bbc.com port 80 (www server port). Your statefull firewall records this
    to allow www.bbc.com port 80 to reply back to you on your IP and your port
    25,000 TCP....

    It is actually much more complicated then this there are things like TCP
    three way handshake, negotiation of window sizes, RST, ACK, NACK, etc, etc,
    etc...

    Anyway to summarize you can simply allow all access out of your computer
    going anywhere but deny all incoming (Again, only if you are running a
    statefull firewall and you do not have more than one computer on your home
    network). The reason I ask you about the number of computers on your home
    network is because you *might* want to have a domain or filesharing, etc
    capabilities between your home computers.

    There are a couple of things worth mentioning. There is a special address
    (interface) called a "loopback". There are some special things to consider
    here but, I bet the WinFirewall you are using probably does it for
    you....so I would not worry.

    Again, realize that I generalized a lot here for simplicity sake (and I hate
    typing)....

    Anyway good luck,
    Imhotep
     
    Imhotep, Oct 2, 2005
    #6
  7. Nick

    Unruh Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

    >From: "Nick" <>


    >| Hi
    >|
    >| As there are over 65000 ports in the TCP/IP stack, which ones are the most
    >| necessary ports for a homeuser and how to close the rest of the ports? My PC


    ports are by default closed. The are open only if a specific program is
    running which listens to and accepts connections from that port.
    This can be a daemon, or it can be xinetd So, it is up to you not to run
    daemons, or not to tell xinetd to listen to that port.

    >| is connected to internet via a router and a cable modem. I run ZA firewall
    >| and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a ports link I
    >| found online:
    >| http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
    >|
    >| Thanks in advance!
    >| Nick
    >|


    >Hi Nick:


    >The objective is to block ports that are open on the LAN side. Running NETSTAT -AN and/or
    >TCPVIEW you can determine what open ports are "listening" for communication.


    >So for example if you have a BootP-TFTP Daemon loaded on the LAN, you would want to block
    >UDP ports 67 and 69.


    >You don't need to look at all the 65536 (2^16) ports. Just the ports on the LAN side that
    >are listening for communication.


    Better yet, why listen. this is a weird process. You run one program to
    listen to a port and then run another to block that port.
     
    Unruh, Oct 2, 2005
    #7
  8. Nick

    Jim Watt Guest

    On 2 Oct 2005 05:38:24 GMT, Unruh <> wrote:

    >Better yet, why listen. this is a weird process. You run one program to
    >listen to a port and then run another to block that port.


    exactly.


    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Oct 2, 2005
    #8
  9. David H. Lipman, Oct 2, 2005
    #9
  10. From: "Jim Watt" <_way>

    | On 2 Oct 2005 05:38:24 GMT, Unruh <> wrote:
    |
    >> Better yet, why listen. this is a weird process. You run one program to
    >> listen to a port and then run another to block that port.

    |
    | exactly.
    |
    | --
    | Jim Watt
    | http://www.gibnet.com

    If I have a device that I can update via TFTP I would load a TFTP Daemon. There are good
    reasons to open up a port. This is good on the LAN but there is no reason for it to go out
    on the WAN.

    It's like I allow a bird to fly anywhere within a house. It is not restricted to a cage or
    just one room. But I keep the door to the house closed so it does not leave the house.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Oct 2, 2005
    #10
  11. Nick

    Winged Guest

    Hairy One Kenobi wrote:
    > "Winged" <> wrote in message
    > news:55d39$433f17a1$18d6d959$...
    >
    >>Nick wrote:
    >>
    >>>Hi
    >>>
    >>>As there are over 65000 ports in the TCP/IP stack, which ones are the

    >
    > most
    >
    >>>necessary ports for a homeuser and how to close the rest of the ports?

    >
    >
    > <snip>
    >
    >>There are two, (generally speaking) types of port ranges on your
    >>computer. The server port range is generally considered ports below
    >>1024. Most home users (generally) do not need to receive inbound
    >>connections from the Internet over these ports unless they are hosting a
    >>server.
    >>
    >>The ephemeral ports 1024-65565 are considered (generally) response ports.

    >
    >
    > <snip>
    >
    > Not /entirely/ accurate - there are the well-known ports 1-1024 that require
    > elevated privilege on *nix
    > (http://www.codecutters.org/resources/knownports.html).
    >
    > And then there are the *Registered* ports (1025 and above) -
    > http://www.codecutters.org/resources/regports.html
    >
    > A subset of this range is used as an ephemeral port if it isn't already
    > taken by a running service (IP address and port should be unique)
    >
    > Windows filtering is built-in to the GUI - just select advanced IP
    > properties on the NIC or IP that you wish to fiddle with. The one that
    > everyone always forgets (I certainly did) is to make sure that you don't
    > leak things that have a local IP address range. I think mine were
    > DNS-related (haven't looked at this for five years or so)
    >
    > HTH
    >
    > Hairy One Kenobi
    >
    > Disclaimer: the opinions expressed in this opinion do not necessarily
    > reflect the opinions of the highly-opinionated person expressing the opinion
    > in the first place. So there!
    >
    >
    >

    I was trying to keep it simple..guess I failed..From the question I did
    not want to get into great detail, so I used word generally to indicate
    there were exceptions and variants.

    Because of what I gathered from users post (much of it was guess) I
    tried to focus on Windows as I suspected he wasn't using a nix,
    therefore I took the liberty to generalize and provide him the
    information he asked.

    There are some advantages from a security perspective to restrict
    windows response ports to a narrow range. Additionally killing
    non-essential services is also useful in tightening up security. There
    is much more information to be learned about the IP stack, however I
    have found trying to simplify explanations to someone who appears to be
    a learning novice, important for understanding.

    Winged
     
    Winged, Oct 2, 2005
    #11
  12. Nick

    Imhotep Guest

    Winged wrote:

    > Hairy One Kenobi wrote:
    >> "Winged" <> wrote in message
    >> news:55d39$433f17a1$18d6d959$...
    >>
    >>>Nick wrote:
    >>>
    >>>>Hi
    >>>>
    >>>>As there are over 65000 ports in the TCP/IP stack, which ones are the

    >>
    >> most
    >>
    >>>>necessary ports for a homeuser and how to close the rest of the ports?

    >>
    >>
    >> <snip>
    >>
    >>>There are two, (generally speaking) types of port ranges on your
    >>>computer. The server port range is generally considered ports below
    >>>1024. Most home users (generally) do not need to receive inbound
    >>>connections from the Internet over these ports unless they are hosting a
    >>>server.
    >>>
    >>>The ephemeral ports 1024-65565 are considered (generally) response ports.

    >>
    >>
    >> <snip>
    >>
    >> Not /entirely/ accurate - there are the well-known ports 1-1024 that
    >> require elevated privilege on *nix
    >> (http://www.codecutters.org/resources/knownports.html).
    >>
    >> And then there are the *Registered* ports (1025 and above) -
    >> http://www.codecutters.org/resources/regports.html
    >>
    >> A subset of this range is used as an ephemeral port if it isn't already
    >> taken by a running service (IP address and port should be unique)
    >>
    >> Windows filtering is built-in to the GUI - just select advanced IP
    >> properties on the NIC or IP that you wish to fiddle with. The one that
    >> everyone always forgets (I certainly did) is to make sure that you don't
    >> leak things that have a local IP address range. I think mine were
    >> DNS-related (haven't looked at this for five years or so)
    >>
    >> HTH
    >>
    >> Hairy One Kenobi
    >>
    >> Disclaimer: the opinions expressed in this opinion do not necessarily
    >> reflect the opinions of the highly-opinionated person expressing the
    >> opinion in the first place. So there!
    >>
    >>
    >>

    > I was trying to keep it simple..guess I failed..From the question I did
    > not want to get into great detail, so I used word generally to indicate
    > there were exceptions and variants.
    >
    > Because of what I gathered from users post (much of it was guess) I
    > tried to focus on Windows as I suspected he wasn't using a nix,
    > therefore I took the liberty to generalize and provide him the
    > information he asked.
    >
    > There are some advantages from a security perspective to restrict
    > windows response ports to a narrow range. Additionally killing
    > non-essential services is also useful in tightening up security. There
    > is much more information to be learned about the IP stack, however I
    > have found trying to simplify explanations to someone who appears to be
    > a learning novice, important for understanding.
    >
    > Winged



    You did the right thing, H said he was a "homeuser" and he is asking a
    neebee question. So, you are justified in speaking in general terms and
    meathods. In fact you should have. If you were to reply with the specific
    and exact definitions you would 1) write a post that was several pages long
    2) confuse the hell out of the OP...

    So, don't apologize for anything, you did nothing wrong.

    Imhotep
     
    Imhotep, Oct 2, 2005
    #12
  13. Nick

    Winged Guest

    Jim Watt wrote:
    > On 2 Oct 2005 05:38:24 GMT, Unruh <> wrote:
    >
    >
    >>Better yet, why listen. this is a weird process. You run one program to
    >>listen to a port and then run another to block that port.

    >
    >
    > exactly.
    >
    >
    > --
    > Jim Watt
    > http://www.gibnet.com


    Even though I have some ports blocked at each layer of the topology,
    don't stop me from listening for activity....stuff happens..admins screw
    up sometimes in an active network. Has happened on more than one occasion.

    Winged
     
    Winged, Oct 2, 2005
    #13
  14. Nick

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <NkC%e.28748$1i.14458@pd7tw2no>, Nick wrote:

    >As there are over 65000 ports in the TCP/IP stack


    and another 65536 in UDP/IP - and another 137 other protocols _besides_
    TCP and UDP that run over IP

    >which ones are the most necessary ports for a homeuser


    If you are not providing services to the world (such as web, mail, ftp)
    then NONE are necessary. Port 113/tcp _may_ be required by your ISP's
    mail server, or the server of any IRC chat room you might use, but the
    typical toy firewall that screams "ATTACK" at every connection attempt
    will tell you if this is needed.

    >and how to close the rest of the ports?


    Don't run servers you don't need. Looking only at TCP, think of those
    65000 ports as 65000 telephones. If you want to call OUT, you pick up a
    phone at random, and dial the number of the person you want to speak to.
    Works just fine. On the other hand, if you don't want people to call
    you, don't answer the stupid phones. Does the ringing phone bother you?
    Disconnect the d4mn bell, and you won't hear it, and won't try to answer
    it either. That means the klown who is trying to call you to get you to
    convert to the Church of the Blessed Donut, or the guy who is trying to
    sell you running shoes for your pet hamster isn't going to bother you.

    Your computer acts the same way. If you are running a server on port FOO,
    then someone connecting to port FOO will get service. If they are to
    connect to a port that doesn't have a server running, the computer doesn't
    answer - simple, isn't it. All you have to do is not install that neat
    application that will "improve your surfing experience" (which calls the
    Church of the Blessed Donut and tells them "I've got a sucker here").

    >Here is a ports link I found online:
    >http://www.iss.net/security_center/advice/Exploits/Ports/default.htm


    http://www.iana.org/assignments/port-numbers

    HOWEVER - just because a specific service is assigned or registered to
    a specific port DOES NOT MEAN that any packet using that port must be
    that service, and that a service that is assigned or registered to a
    specific port can't use a different port.

    Old guy
     
    Moe Trin, Oct 2, 2005
    #14
  15. Nick

    Nick Guest

    "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
    news:GXE%e.6911$...
    > "Winged" <> wrote in message
    > news:55d39$433f17a1$18d6d959$...
    > > Nick wrote:
    > > > Hi
    > > >
    > > > As there are over 65000 ports in the TCP/IP stack, which ones are the

    > most
    > > > necessary ports for a home user and how to close the rest of the

    ports?
    >
    > <snip>
    >
    > > There are two, (generally speaking) types of port ranges on your
    > > computer. The server port range is generally considered ports below
    > > 1024. Most home users (generally) do not need to receive inbound
    > > connections from the Internet over these ports unless they are hosting a
    > > server.
    > >
    > > The ephemeral ports 1024-65565 are considered (generally) response

    ports.
    >
    > <snip>
    >
    > Not /entirely/ accurate - there are the well-known ports 1-1024 that

    require
    > elevated privilege on *nix
    > (http://www.codecutters.org/resources/knownports.html).
    >
    > And then there are the *Registered* ports (1025 and above) -
    > http://www.codecutters.org/resources/regports.html
    >
    > A subset of this range is used as an ephemeral port if it isn't already
    > taken by a running service (IP address and port should be unique)
    >
    > Windows filtering is built-in to the GUI - just select advanced IP
    > properties on the NIC or IP that you wish to fiddle with. The one that
    > everyone always forgets (I certainly did) is to make sure that you don't
    > leak things that have a local IP address range. I think mine were
    > DNS-related (haven't looked at this for five years or so)
    >
    > HTH
    >


    Thanks all of you for taking your time to help me, a beginner, with the
    ports. I use only one workstation running Win 2K at the moment.
    Under Advanced TCP/IP filtering there are 3 options: TCP Ports, UDP Ports,
    and IP protocols. How should I configure the filtering settings, so it will
    be enough just to access the internet, my ftp server, my e-mails and the
    newsgroup? I am sure this is one of the most stupid questions that has ever
    been posted here, but I am in a learning process and I find this group very
    supportive. All I know is that TCP/UDP are in the transport layer of the
    OSI model, IP is in the networking layer, and some of the necessary ports I
    need are 20, (21), 25, 53, 80, 110, 119 and 443.

    Hope to make you guys laugh :)

    Nick
     
    Nick, Oct 2, 2005
    #15
  16. "Nick" <> wrote in message
    news:ObX%e.55886$tl2.29260@pd7tw3no...
    > "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
    > news:GXE%e.6911$...
    > > "Winged" <> wrote in message
    > > news:55d39$433f17a1$18d6d959$...


    > > Windows filtering is built-in to the GUI - just select advanced IP
    > > properties on the NIC or IP that you wish to fiddle with. The one that
    > > everyone always forgets (I certainly did) is to make sure that you don't
    > > leak things that have a local IP address range. I think mine were
    > > DNS-related (haven't looked at this for five years or so)


    > Thanks all of you for taking your time to help me, a beginner, with the
    > ports. I use only one workstation running Win 2K at the moment.
    > Under Advanced TCP/IP filtering there are 3 options: TCP Ports, UDP Ports,
    > and IP protocols. How should I configure the filtering settings, so it

    will
    > be enough just to access the internet, my ftp server, my e-mails and the
    > newsgroup? I am sure this is one of the most stupid questions that has

    ever
    > been posted here, but I am in a learning process and I find this group

    very
    > supportive. All I know is that TCP/UDP are in the transport layer of the
    > OSI model, IP is in the networking layer, and some of the necessary ports

    I
    > need are 20, (21), 25, 53, 80, 110, 119 and 443.
    >
    > Hope to make you guys laugh :)


    Not a hope - we all had to start somewhere!

    Plus it's been so long I think I can see a rather obvious (and probably
    quite common) misconception that wouldn't have occurred to me. I say
    "obvious" as it's obvious to someone in the know, BTW - not trying to be
    rude.

    Let's start with a quick recap. When it comes down to transport stuff (fling
    a chunk of electrons down a wire in one place, it appears somewhere else),
    then it's probably best to start with a telephone analogy.

    Basically, your IP address is you phone number - say you want to dial your
    mate Joe Bloggs. You start by looking his number up in the phone book (say,
    01234-123456), and dial the number. Assume for one moment that he has one of
    those old-fashioned plugboard type of phone exchanges, so you ask the
    operator to connect you to extension 80. She plugs the connection wire into
    port 80, and you chatter away to your mate.

    Now for the Internet version - you want to talk to your mate's website at
    JoeBloggs.com. You look his number up in the "directory" called DNS, which
    returns his IP address (a number). You software then "dials" this number for
    you, requesting a "port" 80. The address/port combination is unique, because
    you can't get two plugs into one hole.

    Notice that - in both cases - you didn't need an exchange yourself; you just
    dialled a number and requested a service.

    The Internet version is the same - you can request any service on any
    address. If that unique combination doesn't exist you'll get an error
    message; if it does exist, then you'll get a web page, email, FTP server, or
    whatever.

    In other words - you only need to open stuff in a firewall if you are
    *running*, rather than *using*, a service. (This can get a little blurred if
    one starts to delve too deeply, but these are the basics)

    All a firewall does is to twiddle the settings that I mentioned in something
    like Windows, but without you having to fiddle (and, believe me, it *is*
    fiddly to get *everything*). Some of the more modern ones try to trap stuff
    by not letting it out, but the traditional "firewall" is more like a one-way
    mirror - you can see out, but most everything directed at you just bounces
    off.

    I'm guessing that, as a home user, you won't really need to dive that deeply
    into things - while you *can* do everything you need using what's built-in,
    you're probably better off buying/downloading a dedicated firewall or buying
    a small cheap box that does all this for you (I was mainly trying to stop an
    old myth from spreading. I've setup a number of different firewalls and, for
    my home use, use "firewall/routers" from Netgear and Linksys)

    Questions? just post 'em up here :eek:)

    H1K
     
    Hairy One Kenobi, Oct 3, 2005
    #16
  17. "Winged" <> wrote in message
    news:7f827$43401b4e$18d6d959$...
    > Hairy One Kenobi wrote:
    > > "Winged" <> wrote in message
    > > news:55d39$433f17a1$18d6d959$...


    <much snippage>

    > >>The ephemeral ports 1024-65565 are considered (generally) response

    ports.

    > > Not /entirely/ accurate - there are the well-known ports 1-1024 that

    require
    > > elevated privilege on *nix
    > > (http://www.codecutters.org/resources/knownports.html).
    > >
    > > And then there are the *Registered* ports (1025 and above) -
    > > http://www.codecutters.org/resources/regports.html
    > >
    > > A subset of this range is used as an ephemeral port if it isn't already
    > > taken by a running service (IP address and port should be unique)


    > I was trying to keep it simple..guess I failed..From the question I did
    > not want to get into great detail, so I used word generally to indicate
    > there were exceptions and variants.


    Granted, but if you want to chop three sections down to two, then I'd
    suggest "well-known" and "registered" - it's less inaccurate :eek:)

    H1K
     
    Hairy One Kenobi, Oct 3, 2005
    #17
  18. "Imhotep" <> wrote in message
    news:...

    <snip>

    > If you were to reply with the specific
    > and exact definitions you would 1) write a post that was several pages

    long
    > 2) confuse the hell out of the OP...
    >
    > So, don't apologize for anything, you did nothing wrong.


    Hardly.

    And hopefully on all three counts ;o)

    H1K
     
    Hairy One Kenobi, Oct 3, 2005
    #18
  19. Nick

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <ObX%e.55886$tl2.29260@pd7tw3no>, Nick wrote:

    >Thanks all of you for taking your time to help me, a beginner, with the
    >ports. I use only one workstation running Win 2K at the moment.


    >How should I configure the filtering settings, so it will be enough just
    >to access the internet, my ftp server, my e-mails and the newsgroup?


    <cringe! "beginner" + "server" != "fun">

    >I am sure this is one of the most stupid questions that has ever been
    >posted here, but I am in a learning process and I find this group very
    >supportive.


    The way to learn _is_ to ask and read. As for the "most stupid question",
    sorry - not even a contest. You've got a _long_ way to go to get into the
    "stupid" category.

    >All I know is that TCP/UDP are in the transport layer of the
    >OSI model, IP is in the networking layer,


    Close enough - though not mandatory to know. See RFC1180, available on
    a web site near you.

    1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. Jan-01-1991.
    (Format: TXT=65494 bytes) (Status: INFORMATIONAL)

    >and some of the necessary ports I need are 20, (21), 25, 53, 80, 110,
    >119 and 443.


    No actually. You have just one server listed above, which is FTP. I'm
    a bit concerned why you feel you should be serving files, but this can
    be locked down as needed. FTP uses just two ports inbound (21 for control
    and passive mode data, 20 for active mode data). NONE - I repeat NONE of
    the rest of the ports need be open _inbound_ and should be blocked.

    People make the mistake thinking that if they want to _use_ service FOO
    as a client, then they have to open that port number INBOUND to their
    system. Not the case - the _server_ lives on that port, while your client
    uses a random number in the range 1025 to <65535.

    Port 25. You connect to your ISP's mail server port 25 (on your end, it's
    a random port number above 1024) to _send_ mail.

    Port 53. You connect to port 53 on the ISP's DNS servers to resolve names.
    Again, on your end, it's a random port above 1024. This is the only port
    where you MAY use both UDP and TCP. TCP is only used when the data
    returned from the name server is larger than 511 bytes (about 7 lines of
    text - rare for windoze).

    Port 80. You connect to port 80 on remote servers to get web pages. Your
    end is a random number above 1024.

    Port 110 (or possibly port 143) is the remote port to get your mail.

    Port 119 is the remote port you connect to to get news.

    Port 443 is the remote port for Secure HTTP. As with all of the
    connections to remote server ports - your end is a random number above
    1024.

    >Hope to make you guys laugh :)


    Remember what we said - no services offered, means no ports open. If you
    did not offer FTP, you would need to open NONE of the ports below 1025
    inbound.

    Old guy
     
    Moe Trin, Oct 3, 2005
    #19
  20. Nick

    Nick Guest

    "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
    news:Che0f.9579$...
    > "Nick" <> wrote in message
    > news:ObX%e.55886$tl2.29260@pd7tw3no...
    > > "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
    > > news:GXE%e.6911$...
    > > > "Winged" <> wrote in message
    > > > news:55d39$433f17a1$18d6d959$...

    >
    > > > Windows filtering is built-in to the GUI - just select advanced IP
    > > > properties on the NIC or IP that you wish to fiddle with. The one that
    > > > everyone always forgets (I certainly did) is to make sure that you

    don't
    > > > leak things that have a local IP address range. I think mine were
    > > > DNS-related (haven't looked at this for five years or so)

    >
    > > Thanks all of you for taking your time to help me, a beginner, with the
    > > ports. I use only one workstation running Win 2K at the moment.
    > > Under Advanced TCP/IP filtering there are 3 options: TCP Ports, UDP

    Ports,
    > > and IP protocols. How should I configure the filtering settings, so it

    > will
    > > be enough just to access the internet, my ftp server, my e-mails and the
    > > newsgroup? I am sure this is one of the most stupid questions that has

    > ever
    > > been posted here, but I am in a learning process and I find this group

    > very
    > > supportive. All I know is that TCP/UDP are in the transport layer of

    the
    > > OSI model, IP is in the networking layer, and some of the necessary

    ports
    > I
    > > need are 20, (21), 25, 53, 80, 110, 119 and 443.
    > >
    > > Hope to make you guys laugh :)

    >
    > Not a hope - we all had to start somewhere!


    Very nice of you to say that!


    > Plus it's been so long I think I can see a rather obvious (and probably
    > quite common) misconception that wouldn't have occurred to me. I say
    > "obvious" as it's obvious to someone in the know, BTW - not trying to be
    > rude.


    I think it's more than a misconception, it's rather a confusion :)

    > Let's start with a quick recap. When it comes down to transport stuff

    (fling
    > a chunk of electrons down a wire in one place, it appears somewhere else),
    > then it's probably best to start with a telephone analogy.
    >
    > Basically, your IP address is you phone number - say you want to dial your
    > mate Joe Bloggs. You start by looking his number up in the phone book

    (say,
    > 01234-123456), and dial the number. Assume for one moment that he has one

    of
    > those old-fashioned plugboard type of phone exchanges, so you ask the
    > operator to connect you to extension 80. She plugs the connection wire

    into
    > port 80, and you chatter away to your mate.
    >
    > Now for the Internet version - you want to talk to your mate's website at
    > JoeBloggs.com. You look his number up in the "directory" called DNS, which
    > returns his IP address (a number). You software then "dials" this number

    for
    > you, requesting a "port" 80. The address/port combination is unique,

    because
    > you can't get two plugs into one hole.
    >
    > Notice that - in both cases - you didn't need an exchange yourself; you

    just
    > dialled a number and requested a service.
    >
    > The Internet version is the same - you can request any service on any
    > address. If that unique combination doesn't exist you'll get an error
    > message; if it does exist, then you'll get a web page, email, FTP server,

    or
    > whatever.
    >
    > In other words - you only need to open stuff in a firewall if you are
    > *running*, rather than *using*, a service. (This can get a little blurred

    if
    > one starts to delve too deeply, but these are the basics)


    Thanks for the analogy! I think I am getting it.

    >
    > All a firewall does is to twiddle the settings that I mentioned in

    something
    > like Windows, but without you having to fiddle (and, believe me, it *is*
    > fiddly to get *everything*). Some of the more modern ones try to trap

    stuff
    > by not letting it out, but the traditional "firewall" is more like a

    one-way
    > mirror - you can see out, but most everything directed at you just bounces
    > off.
    >
    > I'm guessing that, as a home user, you won't really need to dive that

    deeply
    > into things - while you *can* do everything you need using what's

    built-in,
    > you're probably better off buying/downloading a dedicated firewall or

    buying
    > a small cheap box that does all this for you (I was mainly trying to stop

    an
    > old myth from spreading. I've setup a number of different firewalls and,

    for
    > my home use, use "firewall/routers" from Netgear and Linksys)
    >
    > Questions? just post 'em up here :eek:)


    I appreciate your help!
    I hope, the network security course that I just started won't turn me into a
    paranoid :)

    Nick
     
    Nick, Oct 4, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?bWlja3l0ZWpzaW5naEB5YWhvby5jb20=?=

    Unnecessary Network trafic generated between only two comp out of

    =?Utf-8?B?bWlja3l0ZWpzaW5naEB5YWhvby5jb20=?=, Oct 29, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    562
    S. Pidgorny
    Oct 29, 2004
  2. Yef

    Has DivX become unnecessary?

    Yef, Mar 18, 2005, in forum: DVD Video
    Replies:
    36
    Views:
    1,219
    Henk van Loon
    Apr 2, 2005
  3. sentry

    Re: Has DivX become unnecessary?

    sentry, Apr 24, 2005, in forum: DVD Video
    Replies:
    2
    Views:
    494
    yesitsme
    Apr 25, 2005
  4. Maria
    Replies:
    8
    Views:
    1,298
    Maria
    Nov 17, 2005
  5. Andre Da Costa [Extended64]

    Review: Acer Ferrari 4005 spoiled by unnecessary stickers

    Andre Da Costa [Extended64], Nov 20, 2005, in forum: Windows 64bit
    Replies:
    8
    Views:
    910
    Charlie Russel - MVP
    Nov 20, 2005
Loading...

Share This Page