Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why are processes listening to closed ports on my firewall?

Question:

When I look at my firewall log I see a number of processes that are
listening on the internet, including some on ports that the firewall has been
programmed to keep closed. What are these processes (like svchost, lsass,
windows explorer, etc.) listening for? And how are they listening on ports that
are supposed to be closed?

Oh they may be listening, but that doesn’t mean they’re going to hear
anything.

It really just the nature of how a firewall works, so I’ll use this as an
opportunity to try to clarify that just a little.

Become a Patron of Ask Leo! and go ad-free!

In an unprotected system, every application that wants to be able to respond
to an incoming message from another computer somewhere out on the internet is
said to be “listening”. It does this by registering itself with the network
component of the operating system, saying in effect, “whenever you receive a
message of this type, give it to me and I’ll deal with it”.

In a very important sense, each process is connected directly to the
internet, listening for messages of the type that it wants to hear about:

Applications Listening to the Internet

Now, what I’ve called a message of “this type” is identified by what’s
called a port number, so processes are “listen” to “ports”. That how each
process is listening to only one type of message and not interfering with the
messages destined for another process. Windows itself might be listening for
file-sharing requests on one port, while an instance of svchost.exe is
listening for incoming remote desktop requests on another port.

Using TCPView, here’s a snapshot of
the processes listening on my machine as I write this:

TCPView displaying ports being listened to

Among other things you can see that instance of svchost listening to port
3389, which is the incoming port for Remote Desktop requests.

When we add a firewall to the picture, none of that changes:

Applications Listening to the Internet, through a Firewall

“The firewall simply prevents messages coming in from
ever reaching any of the processes listening for them.”

In a sense, the firewall lives on the “internet side” of the computer’s
network connection. All the processes are unaffected; they don’t know about the
firewall, they just keep doing whatever it is they do. They keep listening.

The firewall simply prevents messages coming in from ever reaching any of
the processes listening for them. The messages are “blocked” at the firewall.
This is how a firewall protects you – it keeps all unexpected messages from
ever reaching the software that might try to act on them. Particularly if
you’re connected directly to the internet you’ll see that there are many such
“unexpected” messages, and a vast majority of them are viruses, malware, and
other hacking attempts. Your firewall stops them cold.

But what if we want to be able to respond to some of those
messages? What if we know that certain messages are okay and that we
actually want to use the functionality those messages represent?

Remote Desktop is a good example. Since even with a firewall in place my
computer is still listening to the remote desktop port (3389), all we need to
do is to configure the firewall to allow that port through. Once configured
everything else might be blocked, but if a message comes in that’s destined for
port 3389 then the firewall can let it through. (Naturally I’ll want to make sure
that remote access is secure in other ways, perhaps by using exceptionally
strong login passwords since it can now reach my machine.)

That’s why you sometimes have to configure your firewall before some
applications will work. The application might be listening, but the firewall
could be preventing it from ever hearing anything.

As a side note, so far we’ve only talked about blocking incoming messages.
Many software firewalls often work both ways: blocking unwanted messages coming
in and also unexpected messages going out. If a program needs to be able to
communicate out to other machines through ports that aren’t already open in the
firewall, you might have to configure it to allow those ports through as
well.

Finally, all this does beg the question: if a firewall is going to prevent
any of the messages of a given type from reaching us then why are we “listening” at
all?

It’s a legitimate question. Sometimes you can in fact turn off or
disable the software that’s listening to a given port because it’ll never be
activated. If I didn’t use Remote Desktop, for example, I’d turn off the
service and it would stop listening on 3389. Not only would that prevent
accidental or malicious connections to that port, it also frees up memory for
other processes to run.

In other cases, things aren’t quite that simple. Quite often the system
“talks to itself”, so to speak, through networking connections that need to
remain open. Other programs simply can’t be told not to listen even
though you might still want them running for other reasons.

In an ideal world we wouldn’t need firewalls. Every machine would listen for
only those things it needs and would do so in a perfect bug-free way. There
also wouldn’t be malware out on the internet trying to propagate and infect
your machine through your network connection. But we don’t live in an ideal
world, and a firewall is a critically important first line of defense.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

2 comments on “Why are processes listening to closed ports on my firewall?”

  1. I have Firestarter in my laptop and for some reason it keeps closing itself I just change from Windows to Linux (Ubuntu) and left everything as default. Is there anything I can do to prevent this? Thank you in advance.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.