Problem solve Get help with specific problems with your technologies, process and projects.

Various ways to open and close ports without a firewall

Is it possible to manage ports without a firewall? Is there a way I can open or close ports on my system manually or any other way?

Yes, you can close ports in a variety of ways. As you probably know, any listening port is a potential entryway for an attacker into a system. Because of this, you should configure your system so that a minimal number of ports are open on it. Open ports correspond to listening services. Each service listens on one or more ports. By closing unneeded ports, you can block attackers from gaining access to your machine.

One very effective way of shutting down listening ports is to shut off the service listening on the port. You can do this in Windows 2000 by using the Control Panel, Administrative Tools, Services tool and shutting off those services you don't need. For example, if you don't need Web services on an NT box, you should shut down IIS. In Unix, you have to edit the /etc/rc.d files, or use one of the many configuration tools available for Unix and Unix-like systems (such as linuxconf for Linux).

Beyond shutting off services, you can also filter ports on the machine itself. In Windows, this can be accomplished by using the built-in packet filtering mechanisms. For Windows 2000, you can find these settings completely buried in Control Panels, Network, Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties, Advanced, Options, TCP/IP Filtering. Using this option, you can filter packets so that only specific TCP or UDP ports or allowed. All other ports are blocked (i.e., closed). It's pretty useful! Alternatively, on Windows, you can define local packet filters (for ports or hosts) by going to Control Panel, Administrative Tools, Local Security Policy, IP Security Policies on Local Machine, Secure Server (Require Security), Add. Additionally, most personal firewalls have the ability to block packets destined for incoming ports.

On Linux and other Unix-like operating systems, you can use a variety of tools to filter incoming ports. You can use IPChains, which is installed by default on the latest version of many Linux distrubtions. Type "man ipchains" to get details on how to use it, or go to http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html for a nice description. Alternatively, you could investigate the currently free PortSentry tool, which has the ability to detect port scans (when an attacker looks for open ports on your machine to try and break in). After PortSentry detects an attack, it can dynamically block the attacker.

This was last published in May 2002

Dig Deeper on IPv6 security and network protocols security