You can block the ports that you know can be used to attack your network. The Firebox denies all traffic to blocked ports on all interfaces. Blocking ports can protect your most sensitive services.
When you block a port, you override all of the rules in your policy definitions. To block a port, see Block a Port.
Default Blocked Ports
In the default configuration, the Firebox blocks some destination ports. You usually do not need to change this default configuration. TCP and UDP packets are blocked for these ports:
X Window System (ports 6000-6005)
The X Window System (or X-Windows) client connection is not encrypted and is dangerous to use on the Internet.
X Font Server (port 7100)
Many versions of X Windows operate X Font Servers. The X Font Servers operate as the super-user on some hosts.
NFS (port 2049)
NFS (Network File System) is a frequently used TCP/IP service where many users use the same files on a network. New versions have important authentication and security problems. To supply NFS on the Internet can be very dangerous.
The portmapper frequently uses port 2049 for NFS. If you use NFS, make sure that NFS uses port 2049 on all your systems.
rlogin, rsh, rcp (ports 513, 514)
These services give remote access to other computers. They are a security risk and many attackers probe for these services.
RPC portmapper (port 111)
The RPC Services use port 111 to find which ports a given RPC server uses. The RPC services are easy to attack through the Internet.
This port is used for system management by many vendors and the vendor's software may contain vulnerabilities. Many web proxies also use this port as an alternate HTTP port. This port is also used for communication by some forms of malware.
The TCPmux service uses Port 1, but not frequently. You can block it to make it more difficult for tools that examine ports.
This port is always blocked by the Firebox. You cannot allow traffic on port 0 through the device.
If you must allow traffic through any of the default blocked ports to use the associated software applications, we recommend that you allow the traffic only through a VPN tunnel or use SSH (Secure Shell) with those ports. You should also enable IPS on your policies for improved security.