You can block ports to explicitly disable external network services from accessing ports that are vulnerable as entry points to your network. A blocked port setting takes precedence over any of the individual service configuration settings.
Like the Blocked Sites feature, the Blocked Ports feature blocks only packets that enter your network through the External interface. Connections between the Optional and Trusted interfaces are not subject to the Blocked Ports list.
You should consider blocking ports for several reasons:
By default, the Firebox blocks several destination ports. This measure provides convenient defaults which do not normally require changing. Typically, the following services should be blocked:
X Window System (ports 6000-6063)
The X Window System (or X-Windows) has several distinct security problems that make it a liability on the Internet. Although several authentication schemes are available at the X server level, the most common ones are easily defeated by a knowledgeable attacker. If an attacker can connect to an X server, he or she can easily record all keystrokes typed at the workstation, collecting passwords and other sensitive information. Worse, such intrusions can be difficult or impossible to detect by all but the most knowledgeable users.
The first X Window server is always on port 6000. If you have an X server with multiple displays, each new display uses an additional port number after 6000, up to 6063 for a maximum of 64 displays on a given host.
X Font Server (port 7100)
Many versions of X-Windows support font servers. Font servers are complex programs that run as the super-user on some hosts. As such, it is best to explicitly disable access to X font servers.
NFS (port 2049)
NFS (Network File System) is a popular TCP/IP service for providing shared file systems over a network. However, current versions have serious authentication and security problems which make providing NFS service over the Internet very dangerous.
Note: Port 2049 is not assigned to NFS; however, in practice, this is the most common port used for NFS. The port assigned for NFS is assigned by the portmapper. If you're using NFS, it would be a good idea to verify that NFS is using port 2049 on all your systems.
OpenWindows (port 2000)
OpenWindows is a windowing system from Sun Microsystems that has similar security risks to X Window.
rlogin, rsh, rcp (ports 513, 514)
These services provide remote access to other computers and are somewhat insecure on the Internet. Because many attackers probe for these services, it is a good idea to block them.
RPC portmapper (port 111)
RPC Services use port 111 to determine which ports are actually used by a given RPC server. Because RPC services themselves are very vulnerable to attack over the Internet, the first step in attacking RPC services is to contact the portmapper to find out which services are available.
Port 0 is reserved by IANA, but many programs that scan ports start their search on port 0.
Port 1 is for the rarely used TCPmux service. Blocking it is another way to confuse port scanning programs.
Novell IPX over IP (port 213).
If you use Novell IPX over IP internally, you might want to explicitly block port 213.
NetBIOS services (ports 137 through 139)
You should block these ports if you use NetBIOS internally. Although such services are blocked implicitly by default packet handling, blocking them here provides additional security.
Avoiding problems with legitimate users
Blocking a port permanently
Auto-blocking sites that try to use blocked ports
Setting logging and notification for blocked ports
Return to Top
© 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.