CIS ver5: System(4) Listening port on: 445 question

Happy New Year guys ;D!

Trying to learn CIS again still here. Please bear with me. Recently I checked via ShieldsUP for stealth capability I saw a 445 open port. So I made a rule to block port 445 along with ports 135-139, 5500,5800, 3389, 5900-5903. I also disabled NetBiosHelper in the Control Panel>Administrat…>Services and Disabled NetBIOS via >properties>TCP/IPv4>advanced>WINS>disable NetBIOS. I was unchecking LMHosts but when I heck t again it remains checked again. (this is on a dial-up).

The next ShieldsUP test was a TruStealth and same as that of PCFlank stealth test. But I always see “System(4) Listening port on: 445”

(a) How can I disable listening at port 445?

I know that this may have been asked before but I do not know where I stand on this…please bear with me. GRC says that port 445 should be closed. Though I have a TruStealth I am wondering if I let it remain like that in it’s “listening mode”…something might get in or what…?

I read in http://www.petri.co.il/what’s_port_445_in_w2k_xp_2003.htm that:

"If the client has NetBT enabled, it will always try to connect to the server at both port 139 and 445 simultaneously. If there is a response from port 445, it sends a RST to port 139, and continues it’s SMB session to port 445 only. If there is no response from port 445, it will continue it’s SMB session to port 139 only, if it gets a response from there. If there is no response from either of the ports, the session will
fail completely.

If the client has NetBT disabled, it will always try to connect to the server at port 445 only. If the server answers on port 445, the session will be established and continue on that port. If it doesn’t answer, the session will fail completely. This is the case if the server for example runs Windows NT 4.0."

—I have disabled NetBIOS…why am I seeing listening activity in port 445 still? ???

(b) I also see a 5357 there in the CIS firewall active connections window…listening. I have not remember creating a rule for that…What is that? ???

[attachment deleted by admin]

You can disable port 445 by editing the registry. Go to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters

Edit the value: TransportBindName to remove \Device. Reboot.

If you need NetBIOS\SMB connectivity for your LAN, create a firewall rule that allows these ports for the LAN and blocks for everywhere else.

Port 5357 UDP and TCP is Windows Network Discovery. You can disable this selectively, for public\private networks, from the Network and Sharing Centre\Advanced Sharing Settings.

Looking at your Global Rules the following comments:

  • All the rules under the “Block All IP In from MAC any to MAC any where Protocol is Any” are not active because of the Block All IP rule
  • Make sure that all blocks for outgoing traffic are above the “Allow All IP OUT from MAC Any to MAC Any where Protocol is Any”. That is because rules are read top-down
  • All rules for blocking incoming traffic should be somewhere above the “Block All IP In from MAC any to MAC any where Protocol is Any”. That is because rules are read top-down
  • The rule to block all incoming UDP and TDP makes the blocks on incoming ports underneath it useless

Following this should clear up things for you.

You are using default Stealth settings. With System listening it is still not getting anything to listen to because of Stealth settings.

I would say go back to the default stealth settings. Then all incoming traffic gets blocked.

To further deal with System. Follow this tutorial on how to disable Netbios.
Or make a block rule for outgoing traffic for System on source ports 137-139 and 445 with destination port Any.
Or make a block rule in Global Rules for these ports; make sure the rule is above the Allow All IP out rule.

Hi EricJH,

I am still new to settings rules in Comodo and thanks for pointing it out to me. I will adjust and attach the imaes here for your kind perusal again. Really wanna learn this and I am glad of the assistance given.

Will be back here. Thanks again!

I was browsing here and found this topic. I do have frequent alerts that about something trying to connect via port 445. I just block it. I don’t know what it is. I am sorry if I jump in here but how can I set it in CIS to permanently block access to port 445?

I hope you don’t mind voltron:-)

Thank you!

Hi EricJH,

Sorry for late reply. I had trouble with my pc and I had to replace the hdd. Now have formatted a new system disk and have applied the settings. Kindly see images attached if I have place the “Block IN” and “Block OUT” correctly in the Global rules.

This is in XP SP3 first. I’ll be formatting another hdd with Windows 7 x32 later.

Allow me a couple of more questions please:

(a)
“Or make a block rule for outgoing traffic for System on source ports 137-139 and 445 with destination port Any.”
– How can I make that rule for “System” (assuming I will not apply the Global rule blocking of IN/OUT of ports 135-139 and 445…?)

(b)
In the Network Control Rule dialog box, if I want to place a Block rule for “In/Out” for a range of ports, say, 5900-5903, how will the “Source Port/Destination Port” be? Will I place “Any” for both?

For a single port, what will I place in both “Source Port/Destination Port”…?

Where will it be placed in the Global Rules arrangement…?

Thanks!

voltron:-)

[attachment deleted by admin]

No problem. I always check if there are unread posts to topics I am engaged in. Thx for your pm.

Now have formatted a new system disk and have applied the settings. Kindly see images attached if I have place the "Block IN" and "Block OUT" correctly in the Global rules.

This is in XP SP3 first. I’ll be formatting another hdd with Windows 7 x32 later.

Allow me a couple of more questions please:

(a)
“Or make a block rule for outgoing traffic for System on source ports 137-139 and 445 with destination port Any.”
– How can I make that rule for “System” (assuming I will not apply the Global rule blocking of IN/OUT of ports 135-139 and 445…?)
[/quote]
It works the same as when making Global Rules.

(b) In the Network Control Rule dialog box, if I want to place a Block rule for "In/Out" for a range of ports, say, 5900-5903, how will the "Source Port/Destination Port" be? Will I place "Any" for both?
You will have to make two separate Global Rules. One for incoming and one for outgoing traffic on those ports. For incoming Source Port Any and Destination Port 59000-59003 and for outgoing the other way around
For a single port, what will I place in both "Source Port/Destination Port"...?

Where will it be placed in the Global Rules arrangement…?

Thanks!

voltron:-)

Similar as to what I wrote in the above

In Global Rules you don’t need the block rules for incoming traffic at the mentioned ports 445 and 135-139; you can remove them from Global Rules. That is because all incoming traffic is being blocked with the Stealth settings you are using.

You can also remove the block rules in Global Rules for the outgoing traffic on the ports when you are going to make block rules for System; which is the best way. Outgoing traffic is best handled with Application Rules not in Global Rules.

Since all incoming traffic gets blocked it is of no consequence that System is still listening at port 445. Keep in mind that incoming traffic first goes through Global Rules and then through Application Rules; traffic gets stopped with your settings before it can reach listening System.

@EricJH,

Thanks for the reply. I will check it out and be back here to post with images. Will get back soon. :slight_smile:

Hi EricJH,

Thanks so much for the explanations and teaching me to understand CIS. Really really very interested here:)

Kindly check some additional queries please just to be sure(sorry really a firewall newbie here:)…)

(A)

“It works the same as when making Global Rules”
– I am still kinda slow in this regard but can you check this:

I will go to:

i) Network Security Policy>System>Add>Application Network Access Control

-from Application Network Access Control, what will I select…? Use a Predefined Policy or Use a Custom Policy? or, Just click “Add” in the bottom which will open ‘Network Control Rule’…?

or,

ii) Right Click System>Add Rule>Network Control Rule

(B)

“In Global Rules you don’t need the block rules for incoming traffic at the mentioned ports
445 and 135-139; you can remove them from Global Rules. That is because all incoming
traffic is being blocked with the Stealth settings you are using.”

– I will delete all “incoming blocks” for Port 445 and 135-139 only because I have selected Stealth Port Wizard>Block all incoming ports and make my ports stealth to everyone…correct?

– I have also blocked incoming/outgoing ports 5500, 5800 and 5900-5903 and 3389 in addition to 445, 135-139 (got it from here…http://forum.hidemyass.com/showthread.php?tid=1416). Do I need to place incoming block rules for ports 5500, 5800 and 5900-5903 and 3389…?

Or,

– will the >Stealth Port Wizard>Block all incoming ports and make my ports stealth to everyone also apply in this scenario…?

(if it does, so I do not need to place incoming blocks all over…yes?)

– How can I check if the “Stealth Port Wizard>Block all incoming ports and make my ports stealth to everyone” is always applied? Is there a way to do this check?

(C)

“You can also remove the block rules in Global Rules for the outgoing traffic on the ports
when you are going to make block rules for System; which is the best way. Outgoing traffic is best handled with Application Rules not in Global Rules.”

– It is best to remove all the “outgoing block rules” I made in Global Rules and place it in ‘Application Rules’ instead.

(D)

Are there any ports that I should be blocking that you can advise me. Known ports that are used by hackers or some sort?

(E)

Mentioning again the link —CIS is highly recommended:) (http://forum.hidemyass.com/showthread.php?tid=1416) from which I got the ports and some tutorial references I inquired here about, can you comment on the “…Other ports of interest: 8080 is used for HTTP proxy but also used by hackers to impersonate your pc…etc” paragraph…

Is it needed or just the ports I listed that I should block. I have SSDP disabled/Messenger(I don’t use it).

(F)

Assuming that,

i) “Stealth Port Wizard>Block all incoming ports and make my ports stealth to everyone” will block all incoming connections. I have deleted all incoming blocks in the Global Rules.
Kindly see image attached verification.

ii) In reference to (C), all outgoing blocks were moved to Application Rules.
Kindly see image attached for verification.

See also the Events.jpg based on the previous block rules I have posted(prior to i and ii)


Hope I di not bore you from the newbie questions. I really really am very thankful for the support and teaching on the post. Still very new to understanding CIS but I am learning now:)

Thanks again!

[attachment deleted by admin]

Hi EricJH,

With the new settings I have made through your assiatance I see that there is no intrusions blocked by the firewall component. Please see image attached.

Will I save the configuration and later load it to the Windows 7 format I will make or I have to make a new settings for Windows 7…

Thanks again for the assistance here. :smiley:

[attachment deleted by admin]

The second one works very easy

(B) "In Global Rules you don't need the block rules for incoming traffic at the mentioned ports 445 and 135-139; you can remove them from Global Rules. That is because all incoming traffic is being blocked with the Stealth settings you are using."

– I will delete all “incoming blocks” for Port 445 and 135-139 only because I have selected Stealth Port Wizard>Block all incoming ports and make my ports stealth to everyone…correct?

– I have also blocked incoming/outgoing ports 5500, 5800 and 5900-5903 and 3389 in addition to 445, 135-139 (got it from here…http://forum.hidemyass.com/showthread.php?tid=1416). Do I need to place incoming block rules for ports 5500, 5800 and 5900-5903 and 3389…?
Or,
– will the >Stealth Port Wizard>Block all incoming ports and make my ports stealth to everyone also apply in this scenario…?

(if it does, so I do not need to place incoming blocks all over…yes?)

Exactly, you are hitting the proverbial nail on the head. You don’t need to block those specific incoming ports as all traffic gets blocked by the Stealth settings you are using.

-- How can I check if the "Stealth Port Wizard>Block all incoming ports and make my ports stealth to everyone" is always applied? Is there a way to do this check?
See first attached image. That will show the Stealth Settings. The second image will show the default settings "Alert me to incoming connections and make my ports stealth on a per-case basis".
(C)

“You can also remove the block rules in Global Rules for the outgoing traffic on the ports
when you are going to make block rules for System; which is the best way. Outgoing traffic is best handled with Application Rules not in Global Rules.”

– It is best to remove all the “outgoing block rules” I made in Global Rules and place it in ‘Application Rules’ instead.

Right on the mark.

(D)

Are there any ports that I should be blocking that you can advise me. Known ports that are used by hackers or some sort?

For incoming traffic you have the Stealth settings to protect from all unsolicited access requests.

(E) Mentioning again the link ---CIS is highly recommended:) (http://forum.hidemyass.com/showthread.php?tid=1416) from which I got the ports and some tutorial references I inquired here about, can you comment on the "........Other ports of interest: 8080 is used for HTTP proxy but also used by hackers to impersonate your pc...etc" paragraph..

Is it needed or just the ports I listed that I should block. I have SSDP disabled/Messenger(I don’t use it).

Malwares may sometimes reroute your traffic through a proxy server of their own. . You could add a global rule to ask all outgoing traffic to TCP port 8080.

The tutorial is using the Comodo Firewall in a different fashion than I am doing. He is handling a lot of things in Global Rules rather then with Application Rules.

In the Comodo logic outgoing traffic is handled by Application Rules and Defense + would have alerted you and prevented programs getting infected in the first place. It’s a different way of thinking.

(F)

Assuming that,

i) “Stealth Port Wizard>Block all incoming ports and make my ports stealth to everyone” will block all incoming connections. I have deleted all incoming blocks in the Global Rules.
Kindly see image attached verification.

ii) In reference to (C), all outgoing blocks were moved to Application Rules.
Kindly see image attached for verification.

See also the Events.jpg based on the previous block rules I have posted(prior to i and ii)


Hope I di not bore you from the newbie questions. I really really am very thankful for the support and teaching on the post. Still very new to understanding CIS but I am learning now:)

Thanks again!

Your topic can be useful for other users.

I need to change one of my advices I see.

You can keep the block rules for outgoing Netbios (135-139) and Microsoft DS (445) in the rule for System as that deals with sharing files, folders and printers over the local network. You can remove the blocks for incoming traffic in the rule for System. Because incoming traffic first sees your stealth Global Rules they are not needed there.

For the block rule for outgoing traffic on the other ports you need to make Global Rules if you wand general block like in the tutorial. Sorry for the misunderstanding.

[attachment deleted by admin]

Hello EricJH,

Thanks so much for the assistance. Allow a couple of more queries please. I’m learning here thanks to you!

(A)
“Malwares may sometimes reroute your traffic through a proxy server of their own. . You could add a global rule to ask all outgoing traffic to TCP port 8080.”
– How can I do that? Is this correct?
Global Rules>Network Control Rule>Add:

Action: Allow
Protocol: TCP
Direction: In/Out
Description: Allow all outgoing traffic to TCP port 8080
Source Address: –
Destination Address: –
Source Port: 8080
Destination Port: Any

(B)
"You can keep the block rules for outgoing Netbios (135-139) and Microsoft DS (445) in the rule for System as that deals with sharing files, folders and printers over the local network. "
–Did that. OK.

(C)
“You can remove the blocks for incoming traffic in the rule for System. Because incoming traffic first sees your stealth Global Rules they are not needed there.”
–Okay removed it all because of the stealth Global Rules.

(D)
“For the block rule for outgoing traffic on the other ports you need to make Global Rules if you wand general block like in the tutorial. Sorry for the misunderstanding.”
– So for block rules for ports 5900-5903/3389, 5800, 5500 I will remove it in the Application Rules and instead make it in Global Rules…? Which is more effective…

(i) a general block rule for ports 5900-5903/3389, 5800, 5500 instead of Application block rules
(ii) Application block rules for ports 5900-5903/3389, 5800, 5500

(tutorial in the link o what we do here…?)

(E)
In the attachments that you pasted. Mine looks like the first attachment. Now the Default Global Rules I do not have but remember seeing that when I set up CIS disk before…

When I install CIS,after the restart, I go the More>Manage My Configuration>Add and Activate my saved settings. (the settings I made and posted previously last Jan 27th).

Are the default rules more better than what I make (if so, how can I obtain it again) or…hmmmmm…got confused here…

By the way have set-up a Windows 7 x32 hdd now(now using it with the rules/settings created no Listening at port 5357, there is 445 but no “intrusions”)

I’ll wait for your reply!

Thanks very much:)

As well as others.

(A) "Malwares may sometimes reroute your traffic through a proxy server of their own. . You could add a global rule to ask all outgoing traffic to TCP port 8080." -- How can I do that? Is this correct? Global Rules>Network Control Rule>Add:

Action: Allow
Protocol: IP
Direction: In/Out
Description: Allow all outgoing traffic to TCP port 8080
Source Address: –
Destination Address: –
Source Port: 8080
Destination Port: Any

See my suggestions in blue. The rule is only needed for outgoing traffic. (On a side note. If you want incoming and outgoing traffic blocked for a single port you need to make two separate rules. One for incoming and one for outgoing).

Using blocking all IP out for port 8080 makes sure nothing gets past.

(B) "You can keep the block rules for outgoing Netbios (135-139) and Microsoft DS (445) in the rule for System as that deals with sharing files, folders and printers over the local network. " --Did that. OK.
(C) "You can remove the blocks for incoming traffic in the rule for System. Because incoming traffic first sees your stealth Global Rules they are not needed there." --Okay removed it all because of the stealth Global Rules.
(D) "For the block rule for outgoing traffic on the other ports you need to make Global Rules if you wand general block like in the tutorial. Sorry for the misunderstanding." -- So for block rules for ports 5900-5903/3389, 5800, 5500 I will remove it in the Application Rules and instead make it in Global Rules.....? Which is more effective...
Indeed.
(i) a general block rule for ports 5900-5903/3389, 5800, 5500 instead of Application block rules
Correct
(ii) Application block rules for ports 5900-5903/3389, 5800, 5500
I am not sure what you mean here
(tutorial in the link o what we do here...?)
What do you mean?
(E) In the attachments that you pasted. Mine looks like the first attachment. Now the Default Global Rules I do not have but remember seeing that when I set up CIS disk before....
With the v3.x series the global rules for the Proactive Security config were stealth. Iirc with v4 the default changed.
When I install CIS,after the restart, I go the More>Manage My Configuration>Add and Activate my saved settings. (the settings I made and posted previously last Jan 27th).

Are the default rules more better than what I make (if so, how can I obtain it again) or…hmmmmm…got confused here…

I not totally sure what you mean. You can use the Manage My Configuration to export and import configurations. You can have multiple configs you can switch between; for example one for work and one for at home.

By the way have set-up a Windows 7 x32 hdd now(now using it with the rules/settings created no Listening at port 5357, there is 445 but no "intrusions")

I’ll wait for your reply!

Thanks very much:)

I assume you are using the stealth settings? A listening program won’t hear a thing as all traffic gets blocke.

Hi EricJH,

Thanks for the reply. I am in a hurry so I’ll read and take down notes in the moment then get back here. Chinese new year drinking…:slight_smile:

Thanks again.

You have a good one.

!ot! Drink a couple for me too. :■■■■

I will see it when you replied again.

Hi EricJH;

Very sorry for the very late reply. Got ■■■■ busy at the office lately. Kindly see answers below:

“ii) Application block rules for ports 5900-5903/3389, 5800, 5500
I am not sure what you mean here”
–Disregard this one:)

“(tutorial in the link o what we do here…?)
What do you mean?”
– Thanks. You already answered it in blocking port 8080

"When I install CIS,after the restart, I go the More>Manage My Configuration>Add and Activate my saved settings. (the settings I made and posted previously last Jan 27th).

Are the default rules more better than what I make (if so, how can I obtain it again) or…hmmmmm…got confused here…
I not totally sure what you mean. You can use the Manage My Configuration to export and import configurations. You can have multiple configs you can switch between; for example one for work and one for at home."
–My mistake. Disregard this one. I do have 3 settings that I have exported/imported successfully. Ony thing is that I seem to see that my “Trusted Files” / “Trusted Applications” are not reflected when I import and apply the settings. I have to do it all over again. Is this normal behavior?

"By the way have set-up a Windows 7 x32 hdd now(now using it with the rules/settings created no Listening at port 5357, there is 445 but no “intrusions”)

I’ll wait for your reply!

Thanks very much:)
I assume you are using the stealth settings? A listening program won’t hear a thing as all traffic gets blocke."
–Yes. Thanks.


Thanks for the help here again!

PS:

I drank for you and was so borked I wasn’t able to report for work the next day:) hic:)

When using the export function it will not export the local Trusted Software Vendors and Trusted Files list. They are stored in files and not in the registry; the registry is where the rest is stored.

"By the way have set-up a Windows 7 x32 hdd now(now using it with the rules/settings created no Listening at port 5357, there is 445 but no "intrusions")

I’ll wait for your reply!

The default stealth settings do not log when incoming traffic gets blocked. You need to edit “Block All IP …” rule at the bottom in Global Rules to Block and Log.

Thanks very much:) I assume you are using the stealth settings? A listening program won't hear a thing as all traffic gets blocke." --Yes. Thanks.

Thanks for the help here again!

PS:

I drank for you and was so borked I wasn’t able to report for work the next day:) hic:)

Gotta love alcohol for that… :smiley:

Hi EricJH;

Thanks for the reply. A couple of observations/inquiries more please:

“Malwares may sometimes reroute your traffic through a proxy server of their own. . You could add a global rule to ask all outgoing traffic to TCP port 8080.”
– How can I do that? Is this correct?
Global Rules>Network Control Rule>Add:

Action: Allow
Protocol: IP
Direction: In/Out
Description: Allow all outgoing traffic to TCP port 8080
Source Address: –
Destination Address: –
Source Port: 8080
Destination Port: Any"

–Forgot to do your siggestion but I hit a snag. In your suggestion there wasn’t any Source Port/Destination Port if I select IP as Protocol…there is only Source Address/Destination Address…am I doing it right…?

Also,

"(On a side note. If you want incoming and outgoing traffic blocked for a single port you need to make two separate rules. One for incoming and one for outgoing).

Using blocking all IP out for port 8080 makes sure nothing gets past."

–These “incoming and outgoing traffic blocked for a single port” is to be created in Global Rules, right?

Or,

i) outgoing in Application Rules / incoming Global Rules
ii) both outgoing / incoming in Application Rules

Got confused…sorry:)

“When using the export function it will not export the local Trusted Software Vendors and Trusted Files list. They are stored in files and not in the registry; the registry is where the rest is stored.”

– Imported my latest saved config and I was surprised to see that there are entries in my Application Block Rules (the corrected one) and in the Trusted Files…I only had to enter a couple of my trusted programs and all was well. Less pop-ups again. Nice!

(on a lighter note…have removed Avast HIPS(behavioral shield/AdBlock/Spam) since I have yours and your HIPS is very good unlike the other one which was I learned was “passive”).

“The default stealth settings do not log when incoming traffic gets blocked. You need to edit “Block All IP …” rule at the bottom in Global Rules to Block and Log.”

– Did that through: Global Rules>Select Block and Log IP In From MAC> Edit>Check Log as firewall event…correct?

“Gotta love alcohol for that…:)”
– Yeah! That’s the only way busy people(without the extra buck) tend to unwind nowadays…Jim Bean, Johnny Walker and old Mr. Jack Daniels:) Cheers! ;D ;D >:-D ;D

Great learning here! Got more confident using CIS! Yeah!!! ;D :-TU :-TU :-TU

Hi;

Have successfully updated CISver5.3.xxxxxx.1236 to ver5.3.181415.1237 earlier :-TU.
Along this topic (re:CIS ver5_System(4) Listening port on_445 question ) please do allow me couple of questions(observations):

a) Have set again “Block all incoming connections and make my ports stealth to everyone” nd obtained a TruStealth with ShieldsUP and PCFlank.com --nice ;D :-TU :-TU :-TU

b) Have already disabled Port 445 in the Registry as what Radaghst has shared earlier in Reply#1. I previously have always seen System(no more port 445 listening but port 135 listening) in the “Active Connections” window but now after the update there is none.
–Is that normal ??? Or will it appear a couple of days later.

c) Question in relation to the “previous” block rules that I have set in the Application Rules. I do not see “System” there now. What I see is “Windows System Applications”. Kindly see image attached.
–If I wanna set the former block rules for ports 135-139/5500/5900-5903/5800/3389 will I place it in the “Windows System Applications” above Allow IP Out From MAC Any To Any Where Protocol Is Any"… ??? If not, where ???

d) In the meantime that I have not determined it I have placed the outgoing block rules in the Global Rules. Please see image attached.
–Is this okay? Is this better than placing them in the Application Rules or just the same it will block the outgoing on those ports…? (sorry got confused there… 88))

e) In Reply#17 in relation to port 8080 setting. In that reply I had difficulty setting what EricJH had suggested in “blue”. Now I have set it exactly as he instructed. What happened there…? When I was with ver5.3.xxxxxx.1236 I wasn’t able to set that but here in ver5.3.xxxxxx.1237 I did without a problem…

Any ideas as to what may have happened… ???

f) In connection with “(e) --above”, is the placement above Allow IP Out From MAC Any To Any Where Protocol Is Any" correct…? ??? Please see image attached.

g) In my Win7 x32 set-up there is still System Port 445 Listening although I have disabled it in the registry. See image attached. How can I disabled it permanently in Win7?

Thanks for the help here all and hope to hear from you :slight_smile:

voltron :wink:

[attachment deleted by admin]

Unless you have specifically done something to remove port 135 (RPC service) it will be displayed as a listening port.

c) Question in relation to the "previous" block rules that I have set in the Application Rules. I do not see "System" there now. What I see is "Windows System Applications". Kindly see image attached. --If I wanna set the former block rules for ports 135-139/5500/5900-5903/5800/3389 will I place it in the "Windows System Applications" above Allow IP Out From MAC Any To Any Where Protocol Is Any"... ??? If not, where ???

The entry for “Windows System Applications” is a reference to a group of ‘System’ related processes, found in D+. See the image below for details.

Any specific rules you may have had for the ‘stand-alone’ system process, under Application rules in Network services, need to be rethought.

If I remember correctly, you have only a single PC and no router? This being the case, it will be a little easier to create rules to control your system processes.

d) In the meantime that I have not determined it I have placed the outgoing block rules in the Global Rules. Please see image attached. --Is this okay? Is this better than placing them in the Application Rules or just the same it will block the outgoing on those ports....? (sorry got confused there... 88))

Do you have any specific reasons for wanting to block those ports, as they seem completely random and make little sense, apart from those for NetBIOS and there are better ways of doing that.

I would suggest reading this Application Rules and this Global Rules

e) In Reply#17 in relation to port 8080 setting. In that reply I had difficulty setting what EricJH had suggested in "blue". Now I have set it exactly as he instructed. What happened there...? When I was with ver5.3.xxxxxx.1236 I wasn't able to set that but here in ver5.3.xxxxxx.1237 I did without a problem...

Any ideas as to what may have happened… ???

f) In connection with “(e) --above”, is the placement above Allow IP Out From MAC Any To Any Where Protocol Is Any" correct…? ??? Please see image attached.

There is no point having a rule that allows a connection out on a specific port, directly followed by a rule that allows everything out to anywhere.

g) In my Win7 x32 set-up there is still System Port 445 Listening although I have disabled it in the registry. See image attached. How can I disabled it permanently in Win7?

It appears the ‘hack’ for closing port 445 and another I knew for port 135 are having problems under Windows 7. I wasn’t aware of these changes, as I don’t block these ports.

As of now, at least until I can establish definitively this process no longer works, your best bet is to simple create a rule that blocks TCP out on port 445.

In theory you could stop the sever service to close these ports, but I wouldn’t recommend it.

Remember, just because a port is in a listening state, doesn’t necessarily mean it’s a vulnerability in your firewall. If a port is blocked it won’t be able to respond to requests.

[attachment deleted by admin]