You are here: FAQs > About Firewalls

Firewalls:

What is a Firewall?

A Firewall is either a hardware device, such as a broadband router with a built-in firewall, or a software program, whose main purpose is to allow or block incoming or outgoing Internet Protocol traffic, to-or-from your computer, or network. Some of the common terms used in Firewalls are TCP/IP, UDP, ICMP, and Ping. Communications between computers is established by means of one or more of these protocols being implemented, via so-called Ports. If a computer on the internet broadcasts requests to unprotected open "ports" on your computer, it may respond with the equivilant of "Hello, how can I help you?"

There are a huge number of evil programs in the Wild, on the Internet, and all they need to do to infect your computer is to find an open TCP Port and establish a file transfer relationship. Some of these programs may install email relay or proxy servers, which will turn your personal computer into a spam relay. Worse yet, some hostile programs will enlist your computer into a "Zombie BotNet," where it quietly awaits commands that will cause it to launch an attack on a legitimate website (known as a DOS or DDOS Attack). The consequences will fall on you if and when they authorities trace the source of some these attacks or spam emails to you. Additionally, your computer or Internet connection may bog down to the point of being useless due to the load created by such backdoor program activities.

A hardware firewall appliance, or broadband router/firewall combination box is usually set to block unsolicited incoming traffic only. Most of them will allow you to create a very limited number of custom rules to block or allow traffic to or from your computers on certain port numbers or port ranges. While this will protect your computers against most incoming TCP threats it does nothing to stop a program from calling out if it slips through your personal behaviour defenses. This can occur if you open hostile email attachments, or download infected files from untrustworthy sources, or via browser and email client exploits, or through operating system vulnerabilities that are exploited by specially crafted images, or movie files.

To protect your individual computers from internal threats that sneak in and try to call out you should install a software firewall program. Download or purchase a reputable "Firewall" program (see my recommendations below, or search on Google or Yahoo for "personal firewall"). Install and configure the firewall to only allow the programs of your choice to transmit outward to the internet, and to alert you about unauthorized outgoing attempts. This will stop "Backdoor" and "Trojan Horse" malware programs that may slip onto your computer from phoning home to notify their owners about your computer's existence and allowing them to control it for evil purposes.

Most Firewall programs will popup a permissions dialog box, whenever any application attempts to connect to the internet, or when any outside computer attempts to probe your computer, while you are online. If you don't know about the purpose of a program, or suspect that it might be a spyware application, just refuse permission for it to connect to the internet, or to your computer.

Firewalls stop the MS Blaster and similar TCP Borne threats:

In August of 2003 the MS Blaster Worm was set loose on the mostly unprepared worldwide owners of Windows 2000 and XP computers. The Blaster Worm took advantage of a vulnerability in the Windows 2000 and XP Remote Procedure Call (RPC) subsystems, and was spread entirely by TCP connections, which is how computers interface with the Internet. The Blaster Worm and similar exploits that followed it exploit Microsoft RPC and DCOM subsystem vulnerabilities that were actually first patched via Windows Updates, over a month before the Blaster Worm was loosed.

Unbelievably, in 2006 the MS Blaster Worm and it's later variants are still propagating across the Internet and are still infecting unpatched Windows 2000 and XP computers worldwide, which in turn send out a constant stream of TCP probes, looking for more unpatched machines to infect.

Infected machines may suffer from constant rebooting as the RPC (Remote Procedure Call) system fails due to the activity of this class of Worm. These worms exploit critical security vulnerabilities in Windows XP, 2000, and Server 2003 operating systems and can infect an unprotected computer that connects to the Internet within a just few seconds of being online. Since the discovery of the Blaster Worm in 1993 Microsoft has released many critical security patches and one major service pack update, to address these and other Windows operating system vulnerabilities that have been and continue to be discovered.

When the Blaster Worm was unleashed it was soon discovered that hundreds of thousands of vulnerable computers were not infected because they were protected by either hardware (external) or software firewalls. This was due to the fact that by default most firewalls block unsolicited incoming TCP and UDP traffic, including requests to connect to your TCP ports 135 or 445, used by the RPC Exploit Worms. These machines were then patched against further exploits by the IT personnel responsible for protecting their company's computer assets, or by the security minded invidual owners who were lucky enough to have been spared by their foresight of purchasing a firewall.

While a properly configured firewall can prevent Blaster-like TCP Worms from taking over your computer(s), it won't eliminate the vulnerability in your operating system, which is known as the "DCOM RPC vulnerability." To correctly protect your computers go to Windows Update and get the all available updates, security rollups, services packs and hotfix patches. Windows Updates are scheduled for release on the second Tuesday of every month, although there are occasions where hotfixes are released ahead of schedule to address immediate critical threats.

Whether your computer is protected by a hardware or software firewall the following TCP and UDP ports need to be blocked to incoming traffic to protect your computer from RPC Buffer Overrun exploits:

Grc.com (Gibson Research Corp.) has an online port scanner where you can test your computer's shields against attacks on TCP Ports. This tool will reveal any weaknesses in your firewall or it's rules.

Consult your Firewall documentation for help with configuring the blocking of specific ports and directions.

As an example, for users of Kerio (now Sunbelt), or Tiny Personal Firewall 2.15, or equivilant; double-click on the KPF tray icon to open the Firewall Properties box. Click on the "Advanced" button on the main Firewall tab. The advanced rules window will open. Create a new rule called "Block RPC Ports." Select "TCP and UDP" protocols, "Incoming" for Direction, and "List of ports" for Local Endpoint. Then type in these port numbers with a comma between them: 135,137,138,139,445. For Application choose "Any." For Remote Endpoint Address and Port choose "Any." For Rule Valid choose "Always." For Action select "Deny." Click OK on the new rule page to close it, click Apply on the main rules window to save the new rule. Do not close the main rules window yet.

Now, create an additional rule to block incoming TCP to the Local Endpoint Single Local Port 593, for "any" application, from "any" remote address or port, "always" valid and "deny" access. Click OK and Apply as above, then OK to close the rules window and OK to close the Firewall properties box.

If you are connected to a home or business network using a router with a built-in firewall, or a separate hardware firewall, it should be configured to block all incoming packets, except those that you wish to permit and create rules for (such as WinMx, VPN, FTP, etc). A D-Link DI-604 broadband router contains a basic, user programmable hardware firewall, which will block ALL incoming traffic by default. You must create rules to allow incoming communications, such as are needed to use WinMx or other filesharing programs. D-Link has an extensive FAQ section in the supplied manual and online, to help owners of the DI-604 configure their firewalls to allow incoming traffic on one or more numbered ports, while blocking everything else.

Other security items pertaining to the D-Link Router firewall are to disallow remote management and incoming Pinging, unless you really need them. The checkbox for the Remote Management setting is found (on the DI-604) under "Tools" > "Admin" > "Remote Management," which should have the Disabled option selected. The Pinging option is under "Tools" > Misc > "Discard PING from WAN side." This is really a judgement call because some programs or ISPs may require you to allow incoming pinging for online status confirmation. It is best to test this option before turning it off. A positive answer to an outside ping confirms that a computer exists at that IP address. It does not open any doors by itself. Therefore, unless you have disabled the built-in firewall, or downloaded a backdoor program, no direct advantage is gained by outsiders knowing that you exist online.

Made for wired networks, this router contains a user configurable firewall and access filters, which block or permit traffic based on IP address, domain name, MAC address, or port numbers. It uses NAT translation to separate the computers on the LAN from the Internet, and has it's own DNS Server. The default firewall rules are set to block unwanted or (usually) hostile incoming probes and traffic, thus protecting the computers connected to it. Manufactured by D-Link, the DI-604 is used and recommended by Wizcrafts, for both Cable and DSL Internet connections. You have to read the dropped packet logs to believe the sheer volume of attacks that are aimed at exploiting vulnerable, unprotected ports, every minute of every day!

If you don't have a separate firewall program, and are not using a router with a built-in firewall, but you are running Windows XP, your operating system has a built-in basic firewall available and waiting to be enabled. The instructions are found on this page at Microsoft's knowledgebase. Windows XP Service Pack 2 turns the built-in Windows Firewall ON, by default.

Attn: Comcast Cable and SBC Yahoo! DSL Internet customers:

Due to the MS-Blaster Worm and it's copy-cats, Comcast has put in place Microsoft's recommendations and blocked all incoming requests to the vulnerable ports (135, 137, 139 and 445), since August 14, 2003. See the MS document for a list of blocked ports: here. These ports are still being blocked by Comcast and there are currently no plans to unblock these ports.

In response to vulnerabilities attributed to computers running certain Microsoft Operating Systems, SBC Internet Services has blocked TCP ports 135, 139, 445 and 1025 for all basic dynamic subscribers nation wide, effective on Thursday, April 29, 2004. (These ports are no longer being blocked for static subscribers.) These ports are known to be used by worms and viruses to spread to other computers through the Internet. Blocking these ports may affect your ability to use:

Back to our main FAQs page

(back to top)