A firewall is a system that controls the flow of traffic between networks and provides a mechanism for protecting hosts behind the firewall that sit within the private network or the public resources that sit in the DMZ – Demilitarized Zones, protecting against network based security threats such as DoS. Speaking about the firewall, we need to be familiar with the Firewall Ports either Opening ports or Blocking Ports in order to be compliant with the commonly firewall security standards.
Firewalls are only as secure as the firewall system and the implemented security policy (firewall rule base) by manipulating the firewall ports. We can allow specific traffic to flow inbound into the private network by configuring the specific ports as Opening ports, for example SMTP port 25 to allow incoming smtp email messages to flow into the Exchange server. Or we need to block specific traffic that utilize specific ports that should be regarded as Blocking ports, for example if we do not have WEB server within the DMZ zone to allow public users to access, we need to block port 80 or 8080 both in the router in the perimeter area and in the firewall configuration.
All the firewall ports that are facing the public un-trusted network must be configured to deny all traffic, unless the traffic has been explicitly allowed (granted). Dealing with the security we need to be paranoid – all the inbound traffic flowing into the private network must be regarded as the threats. This is as a starting point in configuring the router and the firewalls as the first line of defense. Only the traffic that is specifically allowed (granted) in the router extended access-list policy and the firewall ports configuration should be permitted to flow.
The following configuration diagram describes a better understanding how the firewall ports are configured in the firewall. For example the corporate doesn’t have public WEB resources that can be accessed by the public users; port 80 and 8080 must be denied as blocking ports both at the perimeter router and in the firewall configuration. On the other hand, the corporate has Exchange servers located at the DMZ that allow internet mail messages to get the servers. Therefore, port 25 must be permitted as Opening ports.
Firewall Ports - Configuration Diagram
The following is a list of common firewall ports you can use as appropriately according to your corporate requirements.
| Port number | Service | Use |
| 20 | FTP data | The port the FTP server opens to send information back to the FTP client |
| 21 | FTP | The actual port that all FTP servers bind to by default |
| 22 | SSH | Secure Shell |
| 23 | Telnet | Remote logins using Telnet |
| 25 | SMTP | The port a mail server receives mail on |
| 53 | DNS | The port your Domain Name Service (DNS) listens to for DNS requests |
| 68 | DHCP | The port your Dynamic Host Configuration Protocol (DHCP) server listens to for handing out IP addresses and network information |
| 79 | Finger | Used to identify users on your system |
| 80 | HTTP | The port Web servers listen to by default |
| 110 | POP3 | The port a mail server listens to for clients to pick up mail from |
| 111 | RPC portmap | Required by NFS servers and other RPC-based programs |
| 113 | Auth | The port the ident server uses when a remote host wants to verify that the users are coming from the IP they claim to be coming from |
| 119 | NNTP | Usenet (newsgroups) |
| 137-139 | NetBIOS | (Windows File and Print Sharing) The ports Windows and Samba use for sharing drives and printers with other clients |
| 143 | IMAP | The port a mail server listens to for clients using IMAP to read their mail instead of POP3 |
| 443 | HTTPS | The port Web servers listen to by default for SSL-enabled Web activity |
| 512-515 | *NIX-specific ports | *NIX-specific ports for the exec, biff, login, who, shell, syslog, and lpd programs to listen to |
| 2049 | NFS | Used to export file systems to other *NIX-based computers |
The above table shows standards firewall ports that you will probably use most. While the following table below shows some other firewall ports that might be use as appropriately.
| Port number | Service | Use |
| 98 | Linuxconf | Linux-only, for the Linuxconf configuration program |
| 465 | SSMTP | SMTP over SSL |
| 993 | SIMAP | IMAP over SSL |
| 995 | SPOP3 | POP3 over SSL |
| 1080 | SOCKS | Proxy server |
| 3306 | MySQL | The port the MySQL server listens to |
| 5432 | PostgreSQL | The port the PostgreSQL server listens to |
| 6000-6069 | X Windows | *NIX-only, for the X Windows GUI desktop |
| 6667 | IRC | Internet Relay Chat server |
| 8080 | Used by many Web caching proxy servers |
A router filter is different from a firewall. A router is not as intelligent as a stateful firewall, and can not replace a firewall in your security model. Other related articles can be used as supporting stuffs understanding the router configurations.
See also:
- Configuring the router passwords – enable you configure the Cisco router passwords and the banner displays.
- Networking routers – both corporate router and home wireless router.
- Guideline in ip routing -the basic routing concept
- WAN services technologies
- Various LAN topologies
Success usually comes to those who are too busy to be looking for it.
Excellent effort!