What Is a Port? (and Why Should I Block It?)
by Scott Pinzon, updates by Corey Nachreiner
When used in construction or engineering, the term «firewall» means what it seems to mean: a wall capable of withstanding fire. It evokes something impenetrable, like a sheet of steel or a brick wall. However, in computer networking the term «firewall» means something porous. Like the strainer a chef pours his soup stock through, a firewall stops all the bones (bad stuff), but lets all the broth (good stuff) through — at least, in theory.
But how does a firewall know what’s bad, and what’s good? How can it tell whether a data packet contains an attack, or information you’ve been eagerly awaiting? It can’t. The firewall just follows a set of rules, often referred to as policy, that you define. You’re the one who categorizes types of network traffic as «good» or «bad.»
Reading that, you might moan, «Argh! This box was supposed to solve my security problems! Now it’s waiting for me to tell it what to do! What do I do?» Nowadays, next generation firewalls (NGFW) allow you to make policies using many attributes, including ports and services, users and groups, and even by defining granular access policies to specific network applications (using something referred to as application control). However, the primary mechanism firewalls used to rely on for allowing or denying network traffic is ports and services. So, a good first step in managing your firewall is to get a quick and dirty understanding of how ports work, and what a given port is used for. This knowledge provides you a starting point for figuring out what Internet traffic to permit through the firewall, and what to deny.
The Quick and Dirty about Ports
Since the whole Internet comes to your system over one big wire, how does your network distinguish streaming video from a Web page, and an email from a sound file? The answer is complex, but part of it is, the geek gods (read: inventors of Internet Protocol, or IP) came up with services and ports.
What are services? The five most commonly-used Internet services are:
- World Wide Web access (using the Hyper-Text Transfer Protocol, or HTTP)
- E-mail (using the Simple Mail Transfer Protocol, or SMTP)
- File transfer (using the File Transfer Protocol, or FTP)
- Translating a host name into an Internet address (using the Domain Name Service, or DNS)
- Remote terminal access (For example, Telnet, Secure Shell, RDP, or VNC)
In order to help systems understand what to do with the data that flows into them, the geek gods conceived ports.
The term «port» can refer to a physical hole in a device where you plug something in (such as, «serial port» or «ethernet port»). But when used in relation to IP services, «ports» are not physical. Ports are a highly structured game of «Let’s Pretend» (the geek term is logical construct), that Internet users agree to if they want to play with one another. Ports do what they do simply because early Internet users reached consensus concerning them. If that seems abstract, remember that money works the same way. Why is a green-tinted picture of Benjamin Franklin worth a hundred US dollars? Because we all agree that it is. Why do ports work? Because we all want them to.
So, some geek god arbitrarily decreed in basso profundo tones, «When we send information to each other’s systems and address it to port number 25, let us herewith agree to assume that information is SMTP data, and thus treat it as e-mail.»
Another geek god responded in kind, saying, «So let it be written.
And when we send information to each other’s systems and address it to fictitious port number, um, 80, let us agree to treat that information as HTTP data, so that we may have Web pages.» And the other geek gods chorused, «So let it be done.»
Okay, it wasn’t quite that simple. It actually involved lots of boring committees sorting things out over decades and recording them in dull RFCs, but what my version lacks in accuracy, it gains in brevity. My point is, a port is a made-up, or logical, endpoint for a connection, and ports allow the Internet to handle multiple applications over the same wires. Your system figures out how to treat data coming at it partially by looking at what port the data is destined for.
Bartender, more port for everyone!
Since there are five commonly used Internet services, the geek gods could’ve made up 20 or 30 ports (to allow room for future technologies), and called it an epoch. But apparently, making up ports is addictive, because today, RFC 1700 and the Internet Assigned Number Authority (IANA) have defined no less than 1,023 official «well-known ports,» and many other unofficial ones to boot.
And those are just a subset of a grand total of 65,535 ports.
What in the world are all those ports used for? See for yourself by consulting the official IANA list.
But here’s a key concept: physically, we’re still dealing with nothing more than a wire running from your ISP to your machine. IANA can specify how the geek gods officially intend the ports to be used, but nothing stops anyone from doing whatever they want with any port. For example, HTTP traffic (Web pages and HTML), by convention, uses port 80. But if I want to send HTTP data to your port 8080 or 8888 just to see what happens, I can. In fact, if you and I agree to use 8080 for HTTP traffic in either direction, and configure our systems to follow that convention, it will work.
Which is where the fun begins for all those evil hackers as they cackle maliciously, wash their hands in the air, and contemplate breaking your system.
Ports exist either in allow (open) mode, or deny (closed; blocked) mode.
If your mail server is in a state of readiness to receive SMTP traffic, we call that «listening on port 25.» That means port 25 is open. The main reason you interject a firewall between the Internet and your system is to get in the way of outsiders trying to access open ports. The applications on your network’s machines can open ports without waiting for your knowledge or permission. Some, like peer-to-peer file sharing or video conferencing software, open ports with the single-minded obsession of a frenzied border collie. Each of those open ports becomes another potential hole in your security, gullibly accepting whatever is sent to it, unless you take proactive steps to block it.
Now, back to the evil hackers. They count on you being clueless about ports. Hoping you’ve left something «listening,» they experimentally send code to your network addressed to ports you never thought of (such as port 31337, because in the dyslexic nomenclature of script kiddies, the numbers look like ElEET — as in, «elite» hacker).
Researchers have posted several lists of ports that hackers consistently abuse. Search for such lists and consult them for real help when you interpret your firewall logs.
So here’s the point of this entire article: if you leave ports open, your network could accept whatever a hacker sends. Your goal is to block every port you can. Managing your firewall largely means playing around with ports and services, blocking whole ranges of ports — everything that your business does not require open. Although the default stance of the Firebox is to deny everything, since the day it was installed at your office, someone has opened it — that is, instructed it to allow network traffic through to certain ports on certain machines in your network. Was the firewall opened selectively and carefully? Or did someone mumble, «I don’t have time for this,» and create rules so the firewall permits everything, from anywhere, to anywhere? If so, you don’t really have a firewall. You have an expensive red paperweight.
Now that I know about ports, what should I do?
- Look at your Firebox log entries, learn which fields indicate ports, and monitor your network traffic to see what hits your system daily from the outside Internet. Compare anything unusual with a list of abused ports.
- Learn how to manually allow and deny services and ports on your Firewall, and get used to adjusting them frequently.
- Establish a regular time (at least twice a month) when you scan your network to find all open ports. Close anything you can. If in doubt, block the port. The worst that can happen is an angry co-worker saying, «I can’t listen to Internet radio!» Fifty such complaints are more desirable than one successful virus or Trojan horse.
- Once you get familiar with allowing and denying outside-in access to network ports, consider also egress filtering, which means controlling inside-out access from your network as well. Egress filtering furthers protect you from client-based network attacks.
Ports are a foundational building block of the Internet, and thus, of Internet security. Have fun researching them. The more you learn, the smarter your firewall configuration will become. With a little practice, you’ll get it looking less like Swiss cheese, and more like the steel barrier «firewall» implies.
Resources:
- One of the most respected books on this subject, Firewalls and Internet Security: Repelling the Wily Hacker, by William Cheswick and Steve Bellovin, has been posted on the Web in full at www.wilyhacker.com.
Firewall ports
Your organization’s firewall must be configured to allow connections from external
clients and devices to the SafeLinx Server. If a second firewall stands between the SafeLinx Server
and resources on the internal network, you must also establish rules that enable communications
between them.
In a typical SafeLinx Server deployment, the SafeLinx Server is placed in a DMZ between an
Internet-facing firewall and an enterprise-facing firewall.
The two firewalls block unwanted
connections from the external and internal networks. Open firewall ports to and from the SafeLinx
Server for known connections only.
Your enterprise might deploy a firewall between the carrier network and the SafeLinx Server. In this case,
you must open a mobile network connection (MNC) port on the external firewall.
Figure 1. Data flow through a network
The preceding figure shows how an enterprise might deploy firewalls that use a single User
Datagram Protocol (UDP) MNC. For example, you might deploy a firewall between the SafeLinx Server
and internal application servers. If traffic connects to the application servers on ports 80 or 443,
you must open those firewall ports on both the internal and external firewalls. To enable SafeLinx
Clients to access the SafeLinx Server, you must open port 8889 for the MNC on the external firewall.
If firewall software is installed on the remote computer that hosts the SafeLinx Client, the
firewall software must also allow the SafeLinx Client to access to the Internet.
Note: Many enterprises have strict security guidelines about opening
firewall ports. Make sure that appropriate security protocols are
followed.
If your network uses a dynamic host configuration protocol (DHCP)
server, make sure it located inside the DMZ between the firewalls.
The IP addressing scheme that you use in the DMZ between firewalls depends on your network
topology. You can have private, non-routable IP addresses, in which the firewall provides network
address translation (NAT) to substitute the IP address of the SafeLinx Server. In this case, devices on either
side of the DMZ, such as SafeLinx Clients or enterprise applications, would use the IP address of
the firewall. To route traffic to the SafeLinx Server, the firewall would, in turn, substitute
the SafeLinx Server’s private, non-routable IP address. Your enterprise might or might not use a
backend firewall between the SafeLinx Server and the internal network.
As you plan your network topology, it’s important to understand routing issues and the effect of
firewalls and NAT.
If you use remote servers for persistent data storage, then where you place them
also plays a part in your network topology. If you locate your directory service server (DSS) or
relational database (RDB) servers outside the DMZ, then they too might use substituted NAT addresses
to connect to the SafeLinx Server.
The following tables list the firewall ports that must be open to allow SafeLinx to
communicate with different services.
Note: The HTTP services that you support might require opening
other ports on the Internet-facing firewall.
| Port number | Component that uses the port |
|---|---|
| 53 | DNS servers |
| 80 | HTTP access to application servers |
| 389 | Non-secure LDAP server |
| 443 | Secure HTTP service |
| 686 | Secure LDAP server |
| 1433 | Microsoft SQL Server (default instance)
Note: Named instances use static |
| 1812 | RADIUS authentication
Note: Older RADIUS servers might use port 1645. |
| 1813 | RADIUS accounting |
| 3306 | MySQL |
| 9610 | Authentication server |
| 50000 | IBM DB2 |
| Port number | Component that uses the port |
|---|---|
| 443 | Secure HTTP service |
| 1812 | RADIUS authentication |
| 1813 | RADIUS accounting |
| 9555/9559 | Remote non-secure/secure SafeLinx Administrator |
| Port number | Component that uses the port |
|---|---|
| 53 | DNS servers |
| 80 | HTTP access to application servers |
| 389 | Non-secure LDAP server |
| 443 | Secure HTTP access to application servers |
| 686 | Secure LDAP server |
| 1433 | Microsoft SQL Server |
| 1812 | RADIUS authentication |
| 1813 | RADIUS accounting |
| 3306 | MySQL |
| 50000 | IBM DB2 |
Enterprise (internal) firewall ports that must be open to support Mobile access servicesNote: To support SafeLinx Client access to certain applications, you might have to open specific
other ports in the enterprise firewall.
| Port number | Component that uses the port |
|---|---|
| 80 | TCP-based Mobile Network Connections (MNCs) |
| 443 | TCP-based Mobile Network Connections (MNCs) |
| 1812 | RADIUS authentication |
| 9555/9559 | Remote non-secure/secure SafeLinx Administrator |
Note: Some SafeLinx Servers supports multiple external networks through multiple network adapters
(for example, cable modem, and 802.
11). To allow connectivity from all supported
networks, regardless of whether you have advanced knowledge of their network address
ranges, specify the virtual machine’s default route to the Internet-facing adapter.
To restrict connections from external networks, you can either configure
appropriate rules on your external firewall, or specify static routing paths for
the appropriate subnets. In this configuration, set the default route of the
virtual machine to something other than the Internet-facing adapter.
Windows client firewall and port settings — Configuration Manager
- Article
Applies to Configuration Manager (current branch)
Client computers in Configuration Manager that are running Windows Firewall often need to configure exceptions to allow communication with their site.
The exceptions that you need to configure depend on the management features you use with the Configuration Manager client.
Use the following sections to identify these management features and learn more about configuring Windows Firewall for these exceptions.
Changing the ports and programs allowed by Windows Firewall
Use the following procedure to change the ports and programs in Windows Firewall for the Configuration Manager client.
Change the ports and programs allowed by Windows Firewall
-
On a Windows Firewall computer, open Control Panel.
-
Right-click Windows Firewall and select Open .
-
Configure any required exceptions and any required user programs and ports.
Programs and ports required by Configuration Manager
The following Configuration Manager features require Windows Firewall exceptions: request to unlock statview.
exe. If you unblock statview.exe, subsequent requests will run without errors. You can also manually add Statview.exe to the list of programs and services on tab Windows Firewall exceptions before a request is made.
Client push installation
To use client push to install the Configuration Manager client, add the following exceptions to Windows Firewall: File and Printer as an exception in Windows Firewall.
Customers’ requests
so that customer computers interact with Configuration Manager Site systems, add the following exceptions to the Windows firewall:
Outgoing traffic: TCP port 80 (for communication on the HTTP protocol)
proceeding : TCP port 443 (for HTTPS communication)
Important!
These are the default port numbers that can be changed in Configuration Manager. For more information, see How to How to Configure Client Communication Ports. If these ports have been changed from their default values, you must also configure the appropriate exceptions in Windows Firewall.
Client notification
To have the management point notify client computers of the action it should take when an administrative user selects a client action in the Configuration Manager console, such as download a computer policy or run a malware scan, add the following as an exception to the firewall Windows:
Outbound: TCP port 10123
If this communication fails, Configuration Manager will automatically fall back to using the existing communication port between the client and the HTTP or HTTPS management point:
Outgoing: TCP port 80 (for HTTP communication)
Outgoing: TCP port 443 (for HTTPS communication)
Important!
These are the default port numbers that can be changed in Configuration Manager. For more information, see Configuring Client Communication Ports. If these ports have been changed from their default values, you must also configure the appropriate exceptions in Windows Firewall.
Remote Management
To use Remote Management Configuration Manager, allow the following port:
- Inbound: TCP Port 2701
Remote Assistance and Remote Desktop
To initiate Remote Assistance from the Configuration Manager console, add the custom program Helpsvc.exe and the custom TCP port 135 for incoming traffic to the list of allowed programs and services in Windows Firewall on the client computer. You must also allow Remote Assistance and Remote Desktop . When you start Remote Assistance from a client computer, Windows Firewall automatically configures and allows Remote Assistance and Remote Desktop .
Wake-up proxy
If you enable the wake-up proxy client setting, a new service named ConfigMgr Wake-up Proxy uses a peer-to-peer protocol to check if other computers on the subnet are awake and wake them up if necessary.
This interaction uses the following ports:
Outbound: UDP port 25536
Outbound: UDP port 9
wake-up csi server ( UDP) and wake-up on LAN (UDP) port numbers. If you specify the Power Management setting : Windows Firewall Exception for Wake 9 Proxy Client0034 , these ports are automatically configured in Windows Firewall for clients. However, if clients are running a different firewall, you must manually configure exceptions for these port numbers.
In addition to these ports, the wake-up proxy also uses ICMP echo request messages from one client computer to another client computer. This interaction is used to confirm that another client computer is not online. ICMP is sometimes referred to as TCP/IP ping commands.
For more information about the wake-up proxy, see Schedule client wake-ups.
Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics
To access windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics from the Configuration Manager console, enable File and Printer Sharing as an exception in Windows Firewall.
Ports used during Configuration Manager 9 client deployment0021
The following tables list the ports used during the client installation process.
Important!
If there is a firewall between the site system servers and the client computer, verify that the firewall allows traffic on the ports required for the selected client installation method. For example, firewalls often prevent successful client push installation by blocking Server Message Block (SMB) and Remote Procedure Calls (RPC). In this scenario, use a different client installation method, such as manual installation (running CCMSetup.exe) or Group Policy-based client installation. These alternative client installation methods do not require SMB or RPC.
For information about configuring Windows Firewall on a client computer, see Change the ports and programs allowed by Windows Firewall.
Ports used for all installation methods
| Description | UDP | TCP |
|---|---|---|
HTTP protocol from the client computer to a fallback status point when a fallback status point is assigned to the client. |
— | 80 (see note 1, available alternate port ) |
Ports used when pushing the client
| Description | UDP | TCP |
|---|---|---|
| Server message block (SMB) between the site server and the client computer. | — | 445 |
| RPC endpoint mapper between the site server and the client computer. | 135 | 135 |
| Dynamic RPC ports between the site server and the client computer. | — | DYNAMIC |
| HTTP protocol from the client computer to the management point when the connection is made over HTTP. | — | 80 (See note 1, available alternate port ) |
| Secure HTTPS from the client computer to the management point if the connection is over HTTPS. | — | 443 (See note 1, available alternate port ) |
Ports used in software update point-based installation
| Description | UDP | TCP |
|---|---|---|
HTTP protocol from the client computer to the software update point. |
— | 80 or 8530 (See Note 2 , Windows Server Update Services ) |
| HTTPS protocol from the client computer to the software update point. | — | 443 or 8531 (See Note 2, Windows Server Update Services ) |
| Server message block (SMB) between the source server and the client computer when you specify the CCMSetup /source: |
— | 445 |
Ports used in Group Policy 9 based installation0049
| Description | UDP | TCP |
|---|---|---|
| HTTP protocol from the client computer to the management point when the connection is over HTTP. | — | 80 (See note 1, available alternate port ) |
Secure HTTPS from the client computer to the management point if the connection is over HTTPS. |
— | 443 (see note 1, available alternative port ) |
| Server message block (SMB) between the source server and the client computer when you specify the CCMSetup /source: |
— | 445 |
Ports used in manual and login script installations
| Description | UDP | TCP |
|---|---|---|
| Server message block (SMB) between the client computer and the network share from which CCMSetup.exe is running.
When you install Configuration Manager, the client installation source files are copied and automatically transferred from |
— | 445 |
| HTTP protocol from the client computer to the management point when the connection is over HTTP and the CCMSetup /source: |
— | 80 (See note 1, available alternate port ) |
| HTTPS from client computer to management point when connection is made over HTTPS and CCMSetup command-line property /source: |
— | 443 (See note 1, available alternate port ) |
| Server message block (SMB) between the source server and the client computer when you specify the CCMSetup /source: |
— | 445 |
Ports used in software distribution based installation
| Description | UDP | TCP |
|---|---|---|
Server message block (SMB) between distribution point and client computer. |
— | 445 |
| HTTP protocol from client to distribution point when connecting over HTTP. | — | 80 (See note 1, available alternate port ) |
| Secure HTTPS from the client to the distribution point if the connection is over HTTPS. | — | 443 (See note 1, available alternate port ) |
Notes
1 Alternate port available Configuration Manager can define an alternate port for this value. If a custom port is defined, replace it when defining IP address filter information for IPsec policies or for configuring firewalls.
2 Windows Server Update Services You can install windows Server Update Service (WSUS) on the default website (port 80) or on a custom website (port 8530).
You can change the port after installation. You don’t need to use the same port number throughout the site hierarchy.
If the http port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 higher. For example, 8530 and 8531.
How to open a port in the Windows firewall
Programs interact on the network through network sockets. A socket consists of the computer’s IP address and port. In the Windows operating system, blocking and allowing access to ports is controlled by its own firewall, called «Windows Firewall». Many programs during the installation process are able to create the necessary rules for forwarding their ports in the firewall. But if this did not happen, then you need to create such rules yourself.
First of all, you need to find out the port number through which the program communicates. If the port is known, then you can start configuring the firewall. Otherwise, you will have to find out which network port the program used for its needs. How to do this can be found in the article «How to find out which port a program is using».
To open a port in Windows Firewall, you need to open Windows Defender Firewall Monitor and create an inbound rule that specifies the protocol type and port number of the network connection.
The firewall has the ability to allow all network connections for a specific program. Thus, there is no need to forward ports for it.
1. Open Windows Firewall Monitor.
The fastest way to open the Windows Firewall settings is to press
2. Select the «Inbound Rules» item, then the «Create Rule» action.
3. Rule type — «For port».
In total there are 4 types of settings available in the Firewall Rule Wizard:
- forward through the firewall all the ports of this program;
- For a port — open only the specified ports, and it doesn’t matter which program uses them;
- Predefined — A set of predefined rules for specific Windows 9 services and programs0004
- Configurable — more complex and detailed setting of the rules, with the ability to specify the network protocol, port, program and network segment.
4. Specify the protocol and port numbers.
In addition to the port number, at this step you must select the transport protocol — TCP or UDP. But if you do not know what protocol the program uses, then it is better to clarify this point using the command line and the netstat -aon command, or the special TCPView and CurrPorts utilities.
In most cases, Windows programs use TCP as the transport protocol.
If there are several ports, they are separated by commas. Port range, for example, all ports from 5000 to 5010 — separated by a hyphen.
5. Action — Allow connection.
The «Allow connections» action allows absolutely all network connections to this port — this option is relevant in most cases.
Selecting the second option «Allow secure connection» will only open the port for VPN (virtual private network) connections based on the IPSec protocol.
6.
Specify the profiles to which the rule applies.
By default, all profiles are selected and it is better not to change anything here, as there may be situations when the network profile is automatically changed to another one and after that the port becomes unavailable.
7. Rule name
Here you need to specify any rule name you understand. The simplest and most understandable option is when the program name and port number are used, for example: Radmin port 4899.
Check the list of rules for incoming connections, it must contain the created rule.
Many simply turn off the firewall to make things easier for themselves. Thus, all ports of the computer are open and there is no more torment with port forwarding. But this is wrong : in such a situation, the operating system is completely open to network threats . If a virus enters the network on one of the computers, then all other devices with the firewall turned off will be instantly affected.
