What Ports Should I Block on My Firewall

Page content

What Ports Should I Block on My Firewall?

If you hoped that there is a tutorial that lists in detail that ports to block on a firewall and you just copy the answers from there, I have to disappoint you. There is not such a list. Even though there are some ports that are widely used for a particular purpose (i.e. port 80 for http, port 443 for https, etc.) many of the 65,536 ports of a computer are not assigned by default. This means that the administrator of a system can assign a different application to the same port his counterpart will assign on another system. In other words, if “Application A” doesn’t have a specific port by default, you can assign it to any of the over 65,000 free ports a typical computer has and nobody will know this port in advance.

The best approach is to block all ports and allow only the few you really need. These few ports are 80, 443, 8080 (an alternative for http) and any other port your applications will need. For instance, if you are using FTP, then leave port 21 open.

When you block all ports but a selected few, don’t forget to set notifications when a connection attempt on a blocked port has been made. This way, if you accidentally block ports you should have left open, you will be notified when somebody is attempting to gain remote access through the firewall or that the particular application needs its port and can unblock it.

How to Block Ports on a Firewall

The exact steps to unblock ports on a firewall differ but the logic is the same. For instance, on the built-in Windows firewall by default all ports and programs are denied Internet access. The first time an application attempts to connect, you will be asked whether to allow it or not.

Some firewalls have the option to allow one-time access only, while others add an application (and very often the port it used the first time as well) to the list of programs, which can access the Net. If you need to give an application permanent access to the Internet, it is fine to include it in the list of applications, which always are allowed to access the Net on a specific port or on any port.

More advanced firewalls allow you to configure filters that are more precise. Very often, your choice for rules is not limited only to ports and applications, but it could include IPs, domain names, or protocols as well. While this gives more freedom to the administrator, it also makes your task a bit more difficult because now there are many more rules to set.

Some of the really advanced firewalls (such as the firewall in Windows 7) allow you to configure even the direction (incoming or outgoing) of traffic. For example, you can allow incoming traffic from a particular IP, application, protocol, or port but block all the outgoing traffic and vice versa. This allows you to be very precise in the rules you set. If you make a mistake, though, it could block part of the traffic, thus making it more difficult to understand why this happens. In some cases, you might even be unable to detect the firewall at all.

Blocking ports on a firewall does not require any specific knowledge and skills but it does require concentration. You also should write down any specifics (i.e. I blocked only this and this because of that and that) you might later forget because if a problem arises, these notes will help you to troubleshoot it faster.