1. Home
  2. Networking Firewalls
  3. Closing ports

Closing ports

Received wisdom has been that all outgoing ports, other than those actually required for use (e.g. for DNS, the web, e-mail, newsgroups and possibly some others) should be closed.

However, I find it difficult to believe that any serious bug wanting to report home would try to use any port other than one of those which is almost certain to be open, and therefore I wonder how important it now is to close all unused outgoing ports.

I have always followed that practice (using IPCop) but I have found it rather annoying when I want to use ftp. For example, I have found using FillZilla that one needs to open 30 or so consecutive ports in order to use passive ftp.

My question is not entirely academic because circumstances may force me to use a firewall which does not have the ability to close outgoing ports.

Kind regards to all

Brian

Reply to
Brian
Loading thread data ...

That's a common security measure, usually used in conjunction with a mandatory proxy server

True, malware writers have adapted - up to the pint where they use Internet Explorer itself to connect out (thus defeating some application monitoring systems and proxy servers)

FTP is a nightmare from a fireall POV - it wasn't really designed with firewalls in mind, and passive FTP was a hasty add-on to deal with them.

Closing outbound ports can enhance security, but not being able to do so shouldn't be a showstopper. However, it means that you can't control who can connect outbound should you desire so...

Juergen Nieveler

Reply to
Juergen Nieveler

Thanks for your comments Juergen.

I had not realised that bugs were able to use Internet Explorer for outward transmissions. Although, as you intimate this ability will reduce the worth of programs like Zone Alarm, I suppose that programs like ProcessGuard, which the defunct company DiamondCS use to market, may be able to detect activity which would warn a user of something untoward.

Brian

Reply to
Brian

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.