Firewalls - Locking Down Your Network

This article is intended to be a general guideline. If you mess up your network following this guide, we are not responsible.


Firewalls are a common tool today. They are built into Windows, OSX, Linux, and BSD by default. You can configure your firewall to block specific applications, traffic signatures, ports, or a litany of other things moving through your network.

This guide is designed to help you understand the critical ports to leave open, and how to mitigate threats using a firewall. It is not specific to any hardware or software firewall.

Why a firewall is important

A firewall stops your device from sending or receiving data on undesired channels. This can prevent your computer from being compromised through apps and features that you do not use, and can protect you from bugs in operating systems or software that can lead to compromise. It is a powerful tool for resisting communication with your device by outside parties.

For a firewall to be effective, you want to block ALL ports that you are not explicitly using.

What ports to always leave open on a Firewall

There are approximately 128000 ports on a network connection (if you include the TCP and UDP protocols). Of these, the bottom 1024 are considered to be "common ports" that are used by applications and sometimes reserved for specific purposes. Here is a list of the critical ones that are often left open by even the hardest networks in the world. This includes national firewalls and corporations. These ports are used for specific services that are important to the functionality of networks.

TCP 80: Is reserved for HTTP. (unsecured webpages)

TCP 443: Is reserved for HTTPS. (secured webpages)

UDP 53: Is reserved for DNS. (resolving Domain Names to IP addresses)

UDP 67 and UDP 68: Are reserved for DHCP. (Assigning IP addresses dynamically from a router or DHCP server)

TCP/UDP 546 and 547: Are reserved for DHCP if you are using IPv6 addressing (uncommon at the time of this writing)

TCP 843: Is reserved for Adobe Flash.

UDP 443: Is the port VikingVPN uses.

These ports must be left open for a typical internet-connected PC to remain functional. You can eliminate the need for DHCP if you set up a static network in your home. If you close all other ports, you will quickly find that any apps that are using ports outside of these will no longer function.

For servers you are connecting to remotely, make sure to leave the required ports for your remote network connection to work. For example Windows RDP requires TCP/UDP port 3389, SSH requires port 22, and so on.

If you don't know what port your applications use, you can usually look them up through a Google search.

Here are some references for looking up specific apps and functions that are registered with the IANA:

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt



< last
next >