You can block ports to explicitly disable external network services from accessing ports that are vulnerable as entry points to your network. A blocked port setting takes precedence over any of the individual service configuration settings.
Like the Blocked Sites feature, the Blocked Ports feature blocks only packets that enter your network through the External interface. Connections between the Optional and Trusted interfaces are not subject to the Blocked Ports list.
You should consider blocking ports for several reasons:
By default, the Firebox blocks several destination ports. This measure provides convenient defaults which do not normally require changing. Typically, the following services should be blocked:
X Window System (ports 6000-6063)
The X Window System (or X-Windows) has several
distinct security problems that make it a liability on the Internet. Although
several authentication schemes are available at the X server level, the
most common ones are easily defeated by a knowledgeable attacker. If an
attacker can connect to an X server, he or she can easily record all keystrokes
typed at the workstation, collecting passwords and other sensitive information.
Worse, such intrusions can be difficult or impossible to detect by all
but the most knowledgeable users.
The first X Window server is always on port 6000.
If you have an X server with multiple displays, each new display uses
an additional port number after 6000, up to 6063 for a maximum of 64 displays
on a given host.
X Font Server (port 7100)
Many versions of X-Windows support font servers.
Font servers are complex programs that run as the super-user on some hosts.
As such, it is best to explicitly disable access to X font servers.
NFS (port 2049)
NFS (Network File System) is a popular TCP/IP service
for providing shared file systems over a network. However, current versions
have serious authentication and security problems which make providing
NFS service over the Internet very dangerous.
Note: Port 2049 is not assigned to NFS; however, in practice, this is the most common port used for NFS. The port assigned for NFS is assigned by the portmapper. If you're using NFS, it would be a good idea to verify that NFS is using port 2049 on all your systems.
OpenWindows (port 2000)
OpenWindows is a windowing system from Sun Microsystems
that has similar security risks to X Window.
rlogin, rsh, rcp (ports 513, 514)
These services provide remote access to other computers
and are somewhat insecure on the Internet. Because many attackers probe
for these services, it is a good idea to block them.
RPC portmapper (port 111)
RPC Services use port 111 to determine which ports
are actually used by a given RPC server. Because RPC services themselves
are very vulnerable to attack over the Internet, the first step in attacking
RPC services is to contact the portmapper to find out which services are
available.
port 0
Port 0 is reserved by IANA, but many programs that
scan ports start their search on port 0.
port 1
Port 1 is for the rarely used TCPmux service. Blocking
it is another way to confuse port scanning programs.
Novell IPX over IP (port 213).
If you use Novell IPX over IP internally, you might
want to explicitly block port 213.
NetBIOS services (ports 137 through 139)
You should block these ports if you use NetBIOS
internally. Although such services are blocked implicitly by default packet
handling, blocking them here provides additional security.
Related topics:
Avoiding problems with legitimate users
Auto-blocking sites that try to use blocked ports
Setting logging and notification for blocked ports
Copyright
© 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use