Hi,
Thanks to all who have been explaining mDNS nssswitch, etc. I had not realised how 'chatty' our computers have become. If I go to the local coffee shop and connect my laptop to their WiFi, which incoming and now outgoing ports should I have blocked to ensure that no nefarious people are able to communicate with my laptop? For some of my servers I block all "low ports" 0-1023 for both incoming and outgoing ports, only opening whatever ports are actually required (incoming ports for the server's services, outgoing ports for DNS, software updating, etc). I have left "high ports" 1024-65535 open. My understanding of networking was: Low ports are used for services listening for incoming traffic to establish communications, high ports are used when comminations with a service has been established and on going communication will continue and so it is agreed that the communications will continue on a new, high port number (ephemeral). For example, a request for an FTP transfer will start on port 21, but the actual transfer/s will be move to using a high port number, freeing port 21 for listening for new incoming FTP requests. If my computer's services start communicating on high ports, for example, mDNS uses port 5353/udp, then I expect I should block these high ports to/from the Internet. Which brings me back to "what ports" are systems today using? mDNS is news to me, and ignorantly I have never thought of the implications of UPnP even though I new it existed as a technology. Hence which high ports should be blocked in the Internet firewall to outgoing and/or incoming traffic? I am only familiar with the idea of "low ports" 0-1023 and "high ports" 1024-65535, dating back to the 1990's, so I guess things 'might' have changed since then. Previously I only blocked "low ports" 0-1023, and leave high ports not blocked, but now that services are using ports above 1023, should I be blocking more ports? https://en.wikipedia.org/wiki/Port_(computer_networking) The well-known ports (also known as system ports) are those numbered from 0 through 1023. The registered ports are those from 1024 through 49151. IANA maintains the official list of well-known and registered ranges.[3] The dynamic or private ports are those from 49152 through 65535. One common use for this range is for ephemeral ports. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports Though I find different interpretations as to the use of various ports: https://support.checkpoint.com/results/sk/sk156852 The different type of ports: Low: Reserved ports for services that require ports from 600 to 1024. High: Ports for general use, from 10,000 to 60,000. Extra: Reserved ports for VoIP connections, from 60,000 and above. This comment made me smile: "Ports numbered 64000 (an arbitrary number which might be varied as a result of experience) or above will not be blocked because, as far as UIS is aware, these have not so far been used for malicious activities to any extent. " https://help.uis.cam.ac.uk/service/network-services/techref/portblocking Other sources: https://support.huawei.com/enterprise/en/doc/EDOC1100297670 High-Risk Ports: What Are the Common High-Risk Ports and How to Block Them https://support.microsoft.com/en-au/topic/preventing-smb-traffic-from-lateral-connections-and-entering-or-leaving-the-network-c0541db7-2244-0dce-18fd-14a3ddeb282a Perimeter hardware and appliance firewalls that are positioned at the edge of the network should block unsolicited communication (from the internet) and outgoing traffic (to the internet) to the following ports. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-mDNS-Dienste/Offene-mDNS-Dienste_node.html Multicast DNS (mDNS) is used for resolving host names to IP addresses within small networks that do not include a local DNS server. It is implemented e. g. by the Apple 'Bonjour' and Linux/BSD 'Avahi' (nss-mdns) services. mDNS uses port 5353/udp. https://www.sprocketsecurity.com/resources/why-no-workstation-needs-inbound-smb Why no Workstation Needs Inbound SMB https://nordvpn.com/blog/what-is-upnp/ What is UPnP and why you should disable it immediately https://www.hackercombat.com/the-universal-plug-plays-unending-security-nightmare/ The Universal Plug & Play’s Unending Security Nightmare What made UPnP vulnerabilities as effective attack surface/loophole is the tyranny of the default. George
