User guide
Blocking Ports
User Guide 153
Blocking Ports
You can block ports to explicitly disable external network services from
accessing ports that are vulnerable as entry points to your network. A
blocked port setting takes precedence over any of the individual service
configuration settings.
Like the Blocked Sites feature, the Blocked Ports feature blocks only
packets that enter your network through the External interface.
Connections between the Optional and Trusted interfaces are not subject
to the Blocked Ports list.
You should consider blocking ports for several reasons:
• Blocked ports provide an independent check for protecting your most
sensitive services, even when another part of the firewall is not
configured correctly.
• Probes made against particularly sensitive services can be logged
independently.
• Some TCP/IP services that use port numbers above 1024 are
vulnerable to attack if the attacker originates the connection from an
allowed well-known service with a port number below 1024. These
connections can be attacked by appearing to be an allowed connection
in the opposite direction. You can prevent this type of attack by
blocking the port numbers of services whose port numbers are under
1024.
By default, the Firebox blocks several destination ports. This measure
provides convenient defaults which do not normally require changing.
Typically, the following services should be blocked:
X Window System (ports 6000-6063)
The X Window System (or X-Windows) has several distinct
security problems that make it a liability on the Internet. Although
several authentication schemes are available at the X server level,
the most common ones are easily defeated by a knowledgeable
attacker. If an attacker can connect to an X server, he or she can
easily record all keystrokes typed at the workstation, collecting
passwords and other sensitive information. Worse, such