Need help on disabling specific ports

knucklehead · April 11, 2007, 12:48am

Hello All,
I recently did a symantec security scan which revealed several open ports which are not needed for me to have open. I cannot figure out how to specify a port to be blocked from accessing the internet. The only option i see is for applications…i see no place where i can just add a port to be blocked. thanks in advance

panic · April 11, 2007, 3:26am

If you are behind a router, then the online port test is actually checking your router, as it is the first respnding device found on your IP address. If you want to really check the ports on your PC and you’re behind a router, you need to forward all ports to an IP inside your LAN and then test.

Cheers,
Ewen

Michele · April 11, 2007, 8:44pm

Ewen,

Hello!
Enabling port forwarding in your router is not synonymous with being unprotected by your router is it?

Michele

panic · April 11, 2007, 11:03pm

Logically, yes. If you forward all ports, the router is passing all data through to the nominated address inside your LAN.

Cheers,
Ewen

Michele · April 12, 2007, 5:31am

Thank you, Ewen!

panic · April 12, 2007, 6:15am

Hey Michele,

My answer wasn’t 100% correct.

Port forwarding simply allows a router to pass incoming data (solicited or otherwise) on a particular port to a specific IP address inside your LAN. You are not totally unprotected, as the routers firewall is still functioning on all ports other than the forwarded ports.

Your PC is then relying on your personal firewall for protection, particularly on those ports which have been forwarded.

Sorry, I re-read my previous answer and thought it was a bit ambiguous and could be easily misinterpreted.

Hope this helps,
Ewen

sullo · April 13, 2007, 10:34am

Ewen
I found a program a while back called Local Port Scanner. What’s your opinion on it?
It identifies when my p2p port is open or closed. I’ve had 1027 open for some time ALG service. I haven’t closed it before because most recommendations are that alg should be manual, I noticed it had started on occasion.
Disabled a little while ago and now shows as closed. Nothing fallen over as yet, fingers crossed. :-\

panic · April 13, 2007, 2:41pm

Hey Sullo,

You can get this information by opening a command window and typing

netstat -b

This shows the port number, port state, protocol and executable responsible.

I haven’t tried the one you mention. Does it do more than just list ports?

Ewen

Michele · April 13, 2007, 9:03pm

Excuse me! (note the English, Ewen)

I read you should block “trojan ports” 1024-1029. I understand they are frequently exploited & always being randomly probed. For example:

Block & Log/TCP-UDP In/Any/Any/Where Source port is Any & Destination Port is 1024-1029.

And place it above any rule that might allow incoming.

I also read to set a rule to allow outbound only for local ports above 1030 to restrict the lower reserved ports with the exception of 67/68 if needed.

What do you have to say about this?

Michele

panic · April 14, 2007, 1:33am

Hey Michele,

As I understand it, ports 1 - 1024 are for declared services, according to defined standards. Ports 1025 - 1056 are sort of the same. Ports 1057 - 65535 are locally assignable for whatever purpose and are generally used as a response port to an outbound request (outbound web request goes to port 80 on a server and the response is received back on a port > 1056).

It’s almost mandatory to have a catch-all inbound block rule somewhere is your list, but below any ports that explicitly allow inbound access to a specific port for a specific purpose.

Why would you need a rule to allow outbound (whether on a port >1030 or not) unless you have an application that specifically needs outbound access? Only allow what is needed.

Cheers,
Ewen

sullo · April 14, 2007, 1:39am

I use the netstat commands on occasion most of the time I use cports program, nice pretty colours instead of a dos window. Combine it with process explorer and it’s amazing what you can find out.
LPS (local port scanner) would be better described as trojan port scanner. It uses a list of known trojan ports to scan, there is a user defined list where you can add specific ports you want scanned (both list are editable in notepad). The trojan list is a bit out date and there is no auto update of the list. Took me approx 2 hours at my typing speed to update trojan ports list from a security website.
Has a couple of other scan options including a full tcp scan. I added my p2p port as a test and it reports port open when it should be and closed when should be.
It’s a small prog and available on major geeks.

Michele · April 14, 2007, 6:01pm

Ewen,

You tell me! The first Comodo default rule for Net Mon is:

Allow |TCP/UDP Out |Any |Any| Where Source Port is Any & Destination Port is Any.

I would think writing one above it or in place of it to narrow it would improve protection. I thought restricting local ports to 1030-4999 would limit vulnerabilities. And then in your App Mon rules designate specifics. Am I that far off?

panic · April 15, 2007, 1:04am

Sorry Michele. I’ve got my thinking cap on straight now. The all outbound rule in net mon is needed. You can get by without it but you need to make explicit rules for all applications then. While this would provide greater security, th3e vastly increased number of rules would undoubtedtly impose a far greater overhead on the application and the system, affecting overall throughput.

If your app mon rules are tight and you aren’t in the habit of blindly clicking /allow on pop-ups, I’d leave the “universal” out rule in place.

Again, apologies for my misunderstanding.

Cheers,
Ewen

Michele · April 15, 2007, 2:14am

Ewen,

No apology is necessary! No need to “panic” noobs! Thank you for giving of yourself so generously. It’s a given the greater your knowledge of OS & networking, the tighter your rules. Comodo’s default rules are robust! That said… What would it hurt to narrow that rule to the port range afore mentioned? I hate this!

M

system · April 15, 2007, 6:42am

Have a look at seconfig. http://seconfig.sytes.net/ Will completely close those ports plus other stuff - eg. disable netbios over tcp/ip etc. (I suppose it’s the lazy man or womans way ;D )
Only 54 KB and can restore original settings.

[attachment deleted by admin]

Michele · April 15, 2007, 5:18pm

Hello Ocky,

Bear, So. Africa! I read your posts. Thanks for the screen shot. I made my way into services.msc, WNS, etc & manually took care of quite a bit of that. When I do so it also gives me a better sense of how everything interrelates. I really want to gain a strong ability to rule write!! And a sound understanding of Comodo. A couple of Seconfig’s options I’m not clear on. I like this! Now I have more to unravel/draw from. I’d be interested in discussing some stuff with you (no coffee yet! as articulate as can be!).

Michele

system · April 15, 2007, 6:46pm

Hello Michele,

The bear avatar - you probably saw some of my posts in the Opera (my absolute favourite browser) forum, or over at Wilders Security. Wilders is a great forum for all things security related, like those nasty rootkits.
Unfortunately I am quite new to Comodo PF and hence lots of “newbie” questions. I am pleased with Comodo, and being one to often take the path of least resistance (read ‘lazy’), am running the firewall with default Network Mon. settings, relying on my App. Mon. rules. I am also behind a router so am mainly interested in outbound protection.
I must say I admire your perseverance and interest in tightening your firewall, and it’s plain to see that you are progressing rapidly. :-*

BTW. How’s the weather in aahh … ? Gosh I don’t know ;D

Michele · April 15, 2007, 8:59pm

Ocky on a scale of 1-10, 10 being all knowing… starting at -25… then yes, I suppose 2 is rapid progression!

Would you care to divulge your App Mon rules? -M

Oh! It’s lovely here year-round!