[zergpc208]

From what I read one should block all ports and service has hackers will scan for open ports.

A port for a network is not a physical port but like a radio channle that computers talk on .Every port has a different type of data has every radio channle has different use fire ,EMS, PD so on.

A computer cannot talk to other computers if a port is not open. Again a port is not a physical port but like a radio channle.

Well every port has a different type of data or every port is use for different type of data .A service is some program or some thing running in the background.

[Elvandil]

If you block all ports, then you can't connect to the internet.

[JohnWill]

All incoming ports are blocked by default with most firewalls or routers. Hackers can't scan for outgoing ports unless they have soemthing running on your physical machine, so that's not much of an issue.

[zergpc208]

What ports should be blocked or should not be blocked ? How should I set up my firewalls or routers to block ports but still connect to the internet with out blocking all?

[JohnWill]

You can block all incoming ports in your firewall or router and still have full Internet connectivity. The only reason to have open ports is if you have some specific application that requires open ports, like a game or an IM client.

[zx10guy]

As John has stated, the default configuration for all firewalls is to have all incoming ports blocked. So you don't have to do anything. How many NATing (network address translation) routers/firewalls work with having inside traffic going out is via something PAT (port address translation) as Cisco refers to it. Port address translation works by having the firewall keep a table of outgoing and incoming traffic. When a computer/client initiates a connection, the OS grabs a high port...anything over port 1023 as anything at 1023 and below is reserved. So your OS grabs say port 25000 and wants to speak to a webserver on port 80. The traffic hits your firewall which will then strip the private address of the client PC and substitute the public IP of your ISP service and slap the 25000 orginating port onto the changed packet then forwarding it on through the internet. The return traffic would then be allowed back as the firewall sees an open connection entered into its traffic table so the firewall would then allow the incoming reply strip the destination address of your public IP off and insert the original private IP of your client PC before tossing it onto your local network. I would say it is safe to say that all firewalls now are of the SPI type which is stateful packet inspection. SPI means the firewall actually goes into the the actual communication between inside and outside devices to ensure the traffic coming back into the firewall from the internet is an expected packet based on the communication type that was initiated by your PC on your internal network.

When you open ports to allow outside devices to communicate with internal devices on your private network commonly referred to as port forwarding, you are in essense poking holes in your firewall to defeat its default behavior of blocking all outside initiated traffic from entering into your internal network. Obviously this lowers the security protection of your firewall and exposes your internal network to some risks. How much really depends on what you're allowing through and how vulnerable the target computer is on the receiving end of the port forward. I have gotten into heated debates with some "experts" on a past project that has no concept about how firewalls work or even an understanding of network security. I personally do have some open ports on my current firewall but I have layered my network to minimize any type of compromise which may happen. I also need to see if the SPI features of consumer grade and SMB firewalls are in effect with traffic from the outside going in. I know that business grade firewalls like Cisco's ASAs will do SPIs in both directions to include up to layer 7 which means I can create rules to hone into the actual URL requests.

Hope this clears things up some.

[Jason08]

If you have many ports open on the router, it would be a good idea to have a software firewall running.