Installation guide
20
STEP 7: Understanding ports and firewall configuration
What are ports?
Ports are special addresses within a network address that are required to access various network services.
For example: your address is 1.2.3.4, and you want to access the web server – choose port 80. If you want
to access your POP3 email server instead, select the same address but choose port 110.
Here is an analogy: You have an office building with a street address, e.g. 8 Smith Lane, Melbourne. With
this address, you can find the right building. But this building is 50 storeys high, with many offices at each
floor. Some offices may be open for public access, and some may be closed to the public. To find the right
office, you have to specify the floor and office number. In many cases, a receptionist will only let you through
if you can specify exactly what floor and office you want to visit.
It is similar in networking. A TCP/IP network address allows you to identify a specific network interface
(usually a computer), but that is all. To access a specific service (like web browsing, sending and receiving
email, transferring a file with FTP) you have to specify the port you want to contact. Most computers are
configured to have their web server reply as ‘default port’ whenever the computer is contacted without
specifying what service is wanted.
Which one to keep open, which one to close
When you configure a new firewall, initially close all ports. In most cases, there will be no reason to open
up any.
The first step should always be:
• close all ports using the firewall ruleset configuration functions – this will require knowledge
of the firewall ruleset syntax requirements.
• check whether you can access all Internet services you need from your connected local area
network computers. If everything works, don't open up anything.
• now run a Firewalls: Audit scan over your network, e.g. ‘Shields up’, and see whether your
firewall holds.
• ensure there are no other un-firewalled network connections.
Obviously, you cannot totally shield your own private network from the Internet if you want to access Internet
services, like email and web browsing. So you will selectively open some ports in your firewall if needed.
However, in most cases if you don’t provide a service to the Internet yourself (e.g. a web or email server),
you can keep the ports closed because your firewall will allow connections that you have initiated from your
side.
Well known ports
The 131 070 (1 - 65535 possible ports for both TCP and UDP) are divided into 0 - 1024: ‘well known ports’.
These are usually public Internet services like HTTP, FTP, SMTP, POP3, IMAP etc. Of these, 0 - 255 are
the ‘registered TCP/IP services’ which are platform independent, whereas 256 - 1023 usually represent
UNIX services (Windows and Macs weren’t around when the Internet took off, and both took a long time to
adjust to the concept TCP/IP networking).
Reserved ports
‘Reserved ports’ are 1024 - 49151. These are usually registered with the Internet agency IANA, to avoid
conflicts between software products.