Shift_JIS

Some Ports to Block And Why to Block Them

Just a quick reference for setting up your firewall :)

Port/Range Protocol What Why
23 tcp Telnet Some devices (eg, DD-WRT WAPs) have telnet auth turned on by default. This port gets a lot of brute force auth attempts
67,68 udp DHCP Goes without saying.
111 tcp/udp rpcbind Used to negotiate NFS (among other things), which you probably want to stay on your network.
135-139 tcp/udp Windows crap MSN Messenger and NetBIOS. Port 136 is actually not part of this, but I’m lazy and the app it’s IANA registered to (PROFILE) is long gone.
161 udp SNMP This notoriously insecure protocol is best kept in the confines of your LAN (side note, this would make a good Hacker Jeopardy question)
445 tcp SMB/CIFS Goes without saying.
514 udp syslog Syslog is great, but some systems (like OpenBSD) listen on this port by default. Better safe than sorry.
520 udp RIP A routing protocol that has mostly fallen out of favor. If you need to have this port open, you don’t need this guide.
547 udp DHCPv6 Goes without saying.
623,664 tcp Various OOB server management stuff Gets a lot of auth spam.
1080 tcp SOCKS proxy Most true SOCKS proxies (ie, other than SSH -D) are full of holes, and often unauthenticated. Potential for network pivots and abuse.
1900 udp UPnP Great potential for DDoS if this port responds to the internet.
2049 tcp/udp NFS See rpcbind.
3389 tcp RDP Can be useful for administrating your Windows boxes, but leaving this port open is a dangerous game.
4500 udp IPSec I block this because OpenBSD seems to listen on it by default.
5000 tcp UPnP Generally, you don’t want the internet to control your port forwarding. A proper implementation won’t allow this, but better safe than sorry.
5060 udp SIP Spam spam spam. If you have anything listening on this port, you will get auth attempts for aeons.
5353 udp mDNS/Avahi I personally dislike this protocol, and many of its implementations are full of holes.
5900-5903 tcp VNC VNC is unencrypted; use SSH -L if you want to VNC outside your network.
16992-16995 tcp Intel AMT Goes without saying.
27031 udp Steam In-Home Streaming Steam listens on this port by default, which is a potential security hole.
27036 tcp/udp Steam In-Home Streaming See above.
27037 tcp Steam In-Home Streaming See above.