Internet Security Management for WIN95/98+ Home User©

by: Thomas P. Herrod

Copyright© 2000 - 2001
Updated: 11/09/2001

Best viewed at 1024 x 768 w/Internet Explorer 5.0+ Medium Text

The Basics:

Most people that surf the web, send/receive email and participate in other activities over the Internet, have little, or no knowledge of, how truly unsafe they really are over the largest network ever created by man. Ask them what a firewall or intrusion detection system is, and 8 out of 10 times, the word firewall is highly inaccurate concerning their definition of it. Intrusion Detection System is more accurately described, but also is not fully understood. First, let's talk about the "bad" things that can happen to you over the Internet. Most people do not know how vulnerable they truly are. Denial normaly set's in, and I hear this excuse most often: "All I do is E-Mail or surf the web a little, I'm not worried". You should be, and hopefully after you read this, your mind set will change on how you view the real world over the Internet. To learn more about the Internet and what Protocols are, visit these web sites:


Firewall: Any number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitors transfers of information to and from the network/computer. If a program or external user on the network/computer tries to access ports on your computer without authorization, the Firewall "BLOCKS" the communication to your computer.

Intrusion Detection Software/Hardware: Same as above, but mostly uses different coding to detect intrusions to your computer. When detected, the software/hardware will "Block" the communication also. Some even try to "Back-TRACE" the offending communication to the source as well. BlackICE Defender is one of these pieces of software. It has firewalling techniques, but is not a full blown Firewall like other software. It has hard-coded rules that it follows for intrusion detection, and is thus easier to use for the new comer. A Firewall, on the other hand, is more configurable for the administrator of the system down to what ports it can/cannot use, and to what type of protocol it will use also. BlackICE Defender also employs 7-Layer Stateful Packet Inspection, for which most lower priced firewalls omit, but the costly firewalls have. Using an IDS with your firewall gives you double the protection, and if your firewall is misconfigured, you can catch it with the IDS. Simply put, BlackICE Defender is a superior IDS for Windows users.

Internet Explorer Security:

How safe is Microsoft Internet Explorer? Check out the links below for some eye opening revelations concerning this product and the technologies it employs to make your browsing experience seem to be really neat, but can destroy your data or take control of your computer by a malicious person(s) when they know these exploits:

Internet Explorer Security:

ISP's and Names?:

Believe it or not, some ISP's APPEND NAMES to their customers IP NUMBERS. They usually do this for identificaton reasons for log files and monitoring. For BroadBand Connections like DSL/CABLE users, this is just beaconing what type of connection they have and will simply just make a hacker/cracker/Script kiddies job easier for targeting these broadband connections. They normally use conventions like this:

Where "x" is the IP Number:



The author HIGHLY SUGGESTS to ISP's to stop this appended naming convention to not only DSL/Cable customers, but also DialUp customers as well. This naming convention might aid the ISP, but that is what the IP NUMBERS are for. Yes, hackers/crackers/Script kiddies can figure out what type a connection a customer is using, but why aid them in this task? There simply is no reason for this folks, and I suggest you contact your ISP and kindly ask them to change their policy regarding this attached naming convention to your IP Number. At the least, the ISP should ask the customer if they want it appended or not to their IP Number, not force it upon the customer by beaconing what type of connection they use via the Internet. Simply put, this is just ISP's bragging about what type of connections they have, and does nothing to mask what type of connection a user is connecting with. For people with Routers, I also suggest that you change those cool names also. Don't make yourself an easy target for hackers, crackers, and Script kiddies.

The Good, the BAD, the Ugly:

Yes, believe it or not, there are bad people that stalk the Information Highway, the Internet. We call these people hackers by default, but that is not true. Most true hackers do not cause havoc. They simply are intrigued with their computers and how they work. This is the true Hacker.

Script Kiddies:

Script Kiddies are people that download and install nasty programs that infiltrate your system to do one thing: "Disrupt your normal Internet experience". This can come in different forms, like Denial of Service: When you can't access web sites, read your e-mail, or your server is getting hit by so many bogus people, that it currently cannot accept other real people trying to access your site. Normaly, the Script Kiddie will target specific web sites or IP numbers to specific computers, in order to stop them from working properly. Denial of Service can be checked by contacting the web site and asking if they are having problems, or your ISP, in the rare case that maybe they are having difficulties.

Make sure your Win95/98+ system has all updates installed for it, as well as Firewalls, Drivers and Anti Virus programs.

Microsoft TechNet Security:

Firewall updates, Intrusion Detection Software, Anti Virus, and Driver Updates are very important to maintain on a regular basis!

Script Kiddies can ping you: seeing if you are online, for good reasons, or for scanning your system for open ports so they can attack your computer. Normally, if you are playing a Multiplayer game over the Internet, these type of pings are normal in order for your system to communicate with the others. Other types of pings come from the sites you visit, or programs that you download over the Internet. These are normal. The bad pings come from IP numbers you are not familiar with, and when you are getting hammered with so many bogus pings, they deny your Internet service.

Hackers/crackers/Script kiddies use these pings to see if you have an opening on your system so that they can climb in and have a field day with your files or to be purely malicious and delete your hard drive or critical files for a laugh, or just hammer your system with so many pings, it will LAG: (Derogatory term for slow access to the Internet) you to make you upset, or to win a game via Multiplayer on the Internet. Pretty nasty stuff. There are so many different types of attacks, it boggles the mind. Anything from backdoors in programs, to operating system exploits: (Known security breaches in programs that can be used maliciously), to advertisers that lie to you, and steal your private information by contacting their mother server over the Internet without telling you anything about it. Did I mention IP Spoofing, ARP Spoofing and Redirect? Do you still feel safe now??? Read on to educate yourself and what you can do to help protect yourself, and your loved ones, when online.

Use a Packet Sniffer: a program that displays EVERY packet coming to or going out of your computer.
Most serious administrators on networks have these, but you can search the Internet for ones that work with Win95/98+/NT and other Operating Systems. I recommend the Sniffer program below. It will show you in real time, what is coming in and going out to the Internet, from your system.

CommView - Win95/98/ME/NT/2000/Modems/Cable/xDSL:
CommView is a Packet Sniffer. It will monitor all Internet traffic coming into
your computer (Inbound), as well as monitor all out going Internet traffic (Outbound).
Great for catching rogue programs calling out on the Internet behind your back,
as well as monitoring your firewall or IDS for leaks!

NOTE: Parents, keep Packet Sniffers away from your children!

Below are some other useful programs that will monitor certain things on your computer, including Internet Security related processes:

AATools - Win95/98/NT/2000:
Port Scanner, Proxy Analyzer, CGI Analyzer, E-mail Verifier, Links Analyzer,
WhoIS Lookup, Network Status, Process Info, System Information, Resource Viewer, More!

PrcView - FREE Win95/98 Processes Viewer:
View every program loaded into memory. You can manipulate processes also!

AutoTAB - View multiple running programs! A MUST for Admins!:
Administrators and Internet Security people will love this! You can set it up to
automatically switch between program window screens for montoring different
programs at predetermined intervals, and even multiple security camera screens!
Very cool, and FREE!

What you can do:

First, this tutorial is basically aimed at the normal user running WIN95/98+ that is NOT running a private network via the Internet. People that have a DialUp account with a Modem or Cable/xDSL etc, that surf the web, do e-Mail and play Multiplayer Games over the Internet. If your system is used as a Web Server, or you have a Private Network setup, please consult with the links at the end of this document for use with a Firewall and Intrusion Detection software for your particular setup. If you are just connected to the Internet for normal activities as outlined above, this information will be invaluable for you. If you have multiple computers hooked up to the Internet via a private network, as mentioned above, consult the LINKS at the end of this document for more information concerning your setup.

First things first:

Win98/SE -

1. Turn OFF File & Print Sharing. If you fit the criteria above, you DO-NOT need File & Print Sharing turned on while you are on the Internet. When you install WIN95/98+ by default, it turns these on.(some versions) If these are on, ANYONE can access your system for any files. We recommend that if you do this, you password protect your directories at a minimal. Still feel safe???

1a. Go to START/SETTINGS/CONTROL PANEL and open the Network Icon.
1b. You should see the TAB, click on it, and make sure your File & Print Sharing is turned OFF. You probably will get another box that will say your network is not complete, ignore this, and reboot your system.
1c. After you reboot your system, go back into the Control Panel and open the Network ICON once again. You might get an error, but ignore it and continue.

In the Configuration TAB, you only need these 3 settings:

DialUp Adaptor or your NIC Card Adaptor for your Cable/xDSL Modem/Router
NetBEUI Protocol (you might have to install it)
TCP/IP Protocol

Make sure you "BIND" both NetBEUI and the TCP/IP Protocols to your particular Adaptor, and make sure you also make NetBEUI the DEFAULT PROTOCOL via the settings and check boxes. If you are not networking, also choose the WINDOWS LOGON via the Primary Network Logon box. Now is a good time to review your settings, and after you are done, simply REBOOT your system for the settings to take. You DO-NOT need anything else in your Network Configuration unless you need other protocols for certain programs to work via the Internet. With these settings, you are now more secure than the default settings.

2.Install a Firewall. A firewall is a program or piece of hardware that helps protect you while you are Online. Most people use the software based firewalls like Norton Internet Security 2001, which we HIGHLY RECOMMEND, or businesses use the more pricey hardware versions. Norton Internet Security 2001 is our personal favorite. It not only comes with a firewall, but also blocks advertsing ads, comes with Norton Anti Virus 2001 (a must!) and also a very good child filter to help block the pornography sites as well as drug related etc,. You can get a DEMO (Try before you buy) from Symantec for NIS2001 at:

3. Install Intrusion Detection Software, like Networkice Corporation program called: BlackICE Defender. Real easy to set up and learn. They have an extensive Knowledge Base and FAQ (Frequently Asked Questions) that will guide you in not only protecting yourself, but any problems or questions you might have concerning the programs inner workings. Use this program with NIS2001, and you have a combination that is not only affordable, but works in real time, and behind the scenes. Works with Modems and Cable/xDSL also.You can get their DEMO at:
Please remember that the DEMO only Detects, NOT-PROTECTS, to encourage you to purchase the full product.
Networkice Corporation was purchased from in April 2001.

Protocol Hijacking:

What is Protocol Hijacking? I'm glad you asked! I just coined the phrase so to speak, but in a nutshell, it is when a trusted program is hijacked by another program, and it's protocol takes over the already established connection by the trusted program, known or unknown by the user via it's own known or unknown protocol. Some people might call this session hijacking, but we are only concerned about protocol use here only at this time.

Since some firewalls do not filter protocol use properly, this type of attack can happen, especially if it is generated from the inside out, of the firewall in question. Typically, if a firewall is configured properly, outside intrusions will be stopped, but internal to external intrusions could be permitted if the firewall is misconfigured, has a default rule set which permits this communication by a known exploit from an old rule, or if the firewall simply does not filter the protocols by means of permissive behavior and design for only the protocol which is suppose to have this permission. This also holds true if the protocol is "not known" by the firewall, thus flagging it as "N/A or n/a". By default, protocols 0 thru 54 and 61 thru 100 are considered to be known, and all other values are unknown.

On a side note, do not install software that will not disclose what protocols it uses for communication, or if they will not disclose unknown protocols for that matter either. If they will not list how their software works based on protocol use or redirection, be VERY SUSPICIOUS. Some game vendors also employ these techniques for authorization of use, based on password or serial number registration. Although the use by the company is a good effort, don't think for a minute that some hacker/cracker/Script kiddie cannot break them and steal your serial numbers. It happens every day, especially in Quake3 based game engines, just to name one vendor and game engine. Just ask a Q3 user if they ever had a problem getting online.

Some firewalls are now employing "Path Verification & Encryption" for permitted programs, and this *should* stop this from happening. However, if a rogue program can "piggyback" another known or unknown protocol which already established the session, and exploits a known permissive rule set, it could, in theory, hijack and misdirect the already established protocol via it's own custom protocol working in lieu of the known or unknown permissive protocol. One such program, in the wrong hands, disturbs me: Fpipe by: . This company keeps changing the URL to the file also. You might have to look for it a bit, or use a search engine to find it, and use the search engines "cached web site" to view the information if they decide to delete it off their site. They tout security, but I doubt it with this file present. There simply is no need for this program unless you want your child to circumvent Dad's firewall in my humble opinion. If you want to audit your firewall from inside attacks, seek a professional company with a reputable audit package, or, at the least, use a Packet Sniffer and keep it away from your children.

This program touts not only redirection, but circumvention of firewalls as well! I'm sure if more people become aware of this potential "TROJAN", some companies will address these issues promptly in the future. Some have, some have not.

Did you know?:

Excerpt from:

Watching the Watchers
The weekly Windows 2000 and Windows NT security update newsletter
brought to you by Windows 2000 Magazine and

By: Mark Joseph Edwards, News Editor

Do you use Ethernet switches to help protect network traffic from prying eyes? For a long time, switches have been a tactic against snoops. A switched network separates traffic so that a user on one segment can't easily sniff traffic on another segment. To sniff traffic on a switched network, a user must either place a sniffer on the actual target segment or get machines on the target segment to send traffic through your network segment or your system. Instructing a remote machine to forward packets your way used to be difficult; you had to somehow change the remote host's gateway. Not an easy task, unless you have a copy of arpredirect.

Arpredirect is an Address Resolution Protocol (ARP) poisoning tool. The tool can instruct a remote system to change its gateway address by sending the host the appropriate ARP packets. For example, an intruder can use arpredirect to instruct a remote host to forward all packets to the intruder's IP address. The intruder can analyze or save the packets, then forward them to their final destination without the remote user's knowledge.

Dug Song originally developed the arpredirect tool in December 1999. The tool is part of his dsniff package, which is available at Song's Web site ( I had forgotten about arpredirect until I recently read an article by Stuart McClure and Joel Shambray in a competing publication. The two men point out that we need to be aware of arpredirect and the entire dsniff package because it can be dangerous in the wrong hands.

In a nutshell, dsniff is the Swiss army knife of privacy invasion. The package ships with a handful of powerful tools, including urlsnarf, webspy, mailsnarf, and the dsniff tool. Urlsnarf grabs every URL that passes across the wire and stores it for later examination. Webspy can grab URLs off the wire and open the URL in your local browser window so you can follow along and view what a remote user is seeing on his or her Web browser. Mailsnarf is just as nasty as webspy--it can sniff SMTP-related packets off the wire and reassemble entire email messages into a common format that popular mail clients can read. The dsniff tool is one of the most powerful password grabbers I've seen. It can snag passwords off the wire from many different protocols, including FTP, Telnet, Web, POP3, IMAP, LDAP, Citrix ICA, pcAnywhere, SMB, Oracle SQL*Net, and numerous others.

Even though the tools found in the dsniff package are written for UNIX platforms, you still need to be aware that these tools exist because they could be used against your Windows-based networks. Song's package is incredibly powerful, whether used with good or bad intent. The tools point out a well-known problem with networks in general: malicious users can easily sniff clear text from packets to glean sensitive data. Although blocking ARP redirects and monitoring ARP traffic and tables can help protect against tools like arpredirect, those tactics are certainly not cure-alls. They help prevent packets from becoming misdirected, but most data still travels in clear text over your networks, which means localized intruders can glean sensitive data with packet-sniffing tools. To better protect your data, you must encrypt it at some level before sending it out on the wire, and you must use sniffer-detecting tools to help stop the snoops.

The decision about which tactics to use for data protection depends on your data and your organization, so I can't give you much more advice on the matter. Just be aware that ARP poisoning and data sniffing are real problems that you need to guard against.

From the Author:
Although this excerpt was aimed at other operating systems, it still applies to Windows users also. Still, this is just one other tool out on the tangled web of the Internet which can do nasty things to people when applied by a malicious person, or a group of them....aimed at you or your beloved network.

Back-Tracing the Bad Guy's:

Once you get familiar with your programs, you can start back-tracing these IP Numbers in order to find out who and where they have their Internet connection through. If you know the IP Number that is constantly hounding your system, but your firewall is doing it's job by blocking them, and you are just curious as to who is doing this to you, use these links to help you out if you don't have a back tracer program. They will back trace the IP Number, hopefully, to the ISP which they use, in order for you to submit more proof to them concerning the offending IP Number holder at that time.

Keep in mind, however, that some firewalls and intrusion detection software like BlackICE Defender try to do this on their own.

SmartWhoIs - Does it all and works in CommView!:

Sam Spade LookUp Tools:





Latitude & Longitude of IP Number :


Tiny Personal Firewall (TPF)

Tiny Personal Firewall is one of those firewalls that tend to stand out from the crowd. In fact, some branches of the U.S. Military have employed it's use on some of their computers! This firewall is exactly what the name employs: TINY! But do not let that fool you folks! TPF is packed full of features that ALL firewalls should use in their products. TPF loads at the lowest level of the operating system (technically, this is good thing!) just above the physical hardware drivers to protect your computer before any other software is loaded. Not only that, but here are some of it's technical features at a glance:

Multi-Layer Security Protection (NDIS & TDI):
Since the DSE resides on each computer in the network, it communicates directly
with the operating system and negotiates what applications are even allowed to
transmit and/or receive data.

MD5 Signature Support:
As the DSE mandates what applications can bind for communication, it can also
check for an MD5 digital signature for permitted applications. This ensures that
Trojan horse applications cannot gain access by using the name of a permitted application.

Stateful Filtering based on SRC/DST IP Address, Port & Application:
The DSE maintains a record of all sent packets and can therefore compare incoming
packets to the record table to determine if they were requested. Additionally, the
DSE can restrict applications to certain ports or destination IP addresses.

Remote Access to Logs and Statistics:
The DSE contains a separate statistic view that displays all active sessions and
includes the status, port, remote IP, application or service and the time associated
with each session. Logs may be viewed from the statistics view or sent directly to a
syslog server for analysis and reporting.

Suspicious Activity Monitoring and Intrusion Detection:
The Tiny DSE contains a highly configurable reporting mechanism that can report
specific intrusion attempts, or any other type of communication deemed suspicious,
to a syslog server or to the CMDS server through an SSL connection.

Cool Stuff:

1. Certified Windows 9x/2000/ME/NT
2. Rule Based & Loads at the Lowest level of the OS, just above the Physical Hardware Drivers
2. Fits on a Floppy Disk
3. MD5 Signatures
4. Administrator Defined Protocol Rules, 0-255
5. Static OR Timed Firewall Rules
6. Remote Administration
7. Gateway selection
8. Extensive Logging and Unused Port Logging
9. Firewall Rules Backup, seamlessly
10. Update Installation OVER existing Versions

All in all, I rate this product ABOVE NIS2001 for ease of use, small footprint, and the features it uses. However, just like all Rule Based Firewalls, newcomers to the firewall market need to understand how firewall rules work, and which services/ports/protocols to permit/deny. For the veteran firewall user, these features are welcomed.

The company also has a FREE version for personal use.

Here are some things that I personally think need improving:

1. Filtering capability for Port:0 (ZERO)
2. More Extensive HELP in the documents
3. System Tray ICON Selection for stopping all Network Activity and Timed Rule Events
4. Update the Reseller Servers with Updated Versions in a Timely manner
5. Providing Updates via the Web site, and NOT just their Yahoo NewsGroup
6. Range Selection for Protocols 0-255/Protocols 0-255 Application Specific Filters
7. Filters for TCP/IP and UDP Flags
8. ARP/RARP Filters plus ARP/RARP Filters and their Flags
9. Provide MAC ADDRESS Filters PLUS MAC ADDRESS Ranges/Lists
10. Fix the "TCP ACK" exploit in TPF version 2.0.15(confirmed)
11. Run their YAHOO Forum Securely. It has been known that the people
in charge of the TPF Yahoo Forum PERMIT people to post File Attachements
laden with exploits, and also Viruses. Why wouldn't the company make it's

They also allow nasty people to post Files to their FILE SECTION. I point you
to the Proxomitron that they permitted to be displayed
on their Yahoo Forum. Personaly, this is not only unprofessional, but not called
for. The poster they are discussing has posted FACTS, and has helped
countless people. It just looks like this company is now crying foul to those
that post facts about the security holes and exploits in their product, and don't
even consider these facts as presented with unmistakenable proof presented to them
about these SERIOUS PROBLEMS. I, therefore, do not endorse the use of their so
called Yahoo Forum, under ANY circumstances until they act like professionals,
as they so call themselves, in the Internet Security relm.

Simply put folks, this firewall is good, but their tech support is lousy, and
their Yahoo Forum is one of the most unprofessional that I have seen to date.
It was good at one time, but it has fallen to the wolves lately......
Use it at your own risk, and I do mean risk here folks.
I recommend that people ONLY use the software that they advertise to the public on their Web Site.
Not on their Yahoo Forum site.

Tiny Personal Firewall (FREE!):

Tiny Personal Firewall Yahoo News Group :

Sample Firewall Rules & Info:

Deny every communication unless you explicitly know what communications, either Inbound/Outbound, that you will permit. These rules are for example only, and do not constitute a pure secure firewall! The author suggests you deny everything until you are full aware of the impacts, if any, that certain services/ports will have on your system.

Below you will find a simple starting point for a firewall, with the basic ports/services needed to function properly on the well known used ports. Remember, when your computer REQUESTS a service, like when you view a Web Page, it will ask for that service on Port 80 OUTBOUND, to the SERVER, but your computer SHOULD get that Web Page on Ports ABOVE PORT 1023, INBOUND ONLY. In other words, you ask for the service on your System/Well Known ports BELOW 1024, but get them ABOVE 1023, starting with Port 1024. Example:

1. Your Computer requests for a Web Page at on Port 80.
2. sends back that Web Page, to your computer, on Port 1024 or other ports above 1024.

The Port Numbers are divided into 3 ranges: The Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports:

1. The System (Well Known) Ports are those from 0 through 1023.
2. The User (Registered) Ports are those from 1024 through 49151.
3. The Dynamic and/or Private Ports are those from 49152 through 65535.

Permit Inbound/Outbound Ports:

20 ftp-data TCP In (Used with port 21 for permitting downloads of files)
21 ftp TCP Out (Used with port 20 for starting downloading files)
25 smtp TCP Out (Used for e-mail, Use your ISP's IP NUMBERS, NOT it's NAME!)
53 domain UDP In/Out (Used for your ISP's DNS Domain Name Server. Use your ISP's IP NUMBERS, NOT it's NAME!)
67&68 bootps/bootpc TCP and UDP In/Out (Only permit this if you get your IP assigned automatically from your ISP with DHCP. Use your ISP's IP Numbers, not it's NAME! You can safely block these if you have FIXED/STATIC IP Number)
80 http TCP Out (Used for viewing web pages via the Internet)
110 pop3 TCP Out (Used for e-mail, Use your ISP's IP NUMBERS, NOT it's NAME!)
113 auth TCP Out (Sometimes used with e-mail for authentication. Most ISP's don't use it any longer. Call your ISP for Info.)
443 https TCP Out (Used for viewing Secure Web Sites. Note the lock icon in browsers. Use ONLY on Trusted Sites, Use IP NUMBERS if possible, NOT NAMES!)

Block Inbound/Outbound Ports Unless Needed:

0 - 19 TCP and UDP In/Out
22 - 24 TCP and UDP In/Out
26 - 52 TCP and UDP In/Out
53 TCP In/Out
54 - 79 TCP and UDP In/Out
81 - 109 TCP and UDP In/Out
111 - 442 TCP and UDP In/Out
444 - 1023 TCP and UDP In/Out
49152 - 65535 TCP and UDP In/Out (Some Multiplayer Games and services do use these upper ports. Use your own judgement based on your trust of the web site and or program/service provided by them.)

We also suggest that you place your OUTBOUND RULE FIRST, then your INBOUND Rule BELOW the OUTBOUND Rule in question. This way, YOUR COMPUTER is REQUESTING the DATA FIRST, then the other computer sends it. Not the other way around.

The ports ranging from 1024 - 49151 are used for various purposes, including browsing the web, e-mail, etc,. Some of these ports are used for nasty things as well. Make sure you have a good Anti-Virus/Anti-Trojan program running in order to help protect you from these nasty ports. Just because a certain port is being used by your computer that is listed in the nasties, does not necessarily mean you have been hacked unless the the Anti-Virus/Anti-Trojan program has warned you that you were. Basically, if you set your firewall up to block all incoming traffic that you did not request, you should be protected. Most Stateful Firewalls do this on their own, however.

Some people also make Firewall Rules to block all incoming ports listed by the Anti-Virus/Anti-Trojan programs to further protect themselves with the Anti-Virus/Anti-Trojan programs when browsing the web. This is a lot of typing, but in the end, it does give one peace of mind, for that "what-if" sceneario.

We also highly suggest that you make a firewall rule to "BLOCK ALL TCP and UDP Inbound" communication as your LAST-RULE in your custom rules list. Gamers might want to temporarily "unblock" that last rule when playing games via the Internet, however. Just re-enable the block rule when you are finished playing if need be.

Remember, the above is just a starting point for firewall rules. Some people will definately use other ports/services based on their needs, as well as there ISP's needs, games, chat, networking and others. We suggest you call your ISP and ask them what ports/services they need for you to permit, and why they need them enabled. If an ISP will not discuss this in great detail, and for what reasons they need certain ports/services enabled, we suggest you shop for another ISP. Believe it or not, some disgruntled employee's or ex-employee's of an ISP have hacked their customers. This can happen during normal hours of operation, and especially, after hours of the ISP. Ask those questions, log the activity, and trust no one. This is the safest thing to do in order to protect your beloved data. Deny first, question, and enable when you trust.....should be your policy.

Other Ports/Services that you should filter/block for INBOUND REQUESTS:

DNS 53 (TCP) zone transfers.
tftpd 69 (UDP)
link 87 (TCP) commonly used by intruders.
SunRPC & NFS 111 and 2049 (TCP and UDP)
BSD UNIX "r" cmds 512 through 514 (TCP)
lpd 515 (TCP)
uucpd 540 (TCP)
openwindows 2000 (TCP and UDP)
X windows 6000 - 6255 (TCP and UDP)
telnet 23 (TCP and UDP) suggests that sites filter port 53 TCP DNS in order to thwart zone transfers.
Permit access to DNS Port 53 (TCP) ONLY from known secondary DNS servers. This prevents intruders from gaining additional knowledge about systems connected to your local network.

When making connections to localhost, SSH disables host key checking to provide compatibility with NFS filesystems. As a result, if the victim's machine uses a poisoned DNS server to resolve localhost, it is possible to redirect the victim's SSH session to a different host.
In most SSH clients, users are asked to confirm the acceptance of a host key the first time it is presented. If the user accepts the host key, they are asserting that the key represents the host they intended to connect to. But if an attacker exploits this vulnerability, the victim will not be asked for this confirmation because host key checking has been disabled. Therefore, even the most attentive users will not be able to detect that they have been redirected.

Impact: Attacker can redirect a victim's SSH connection to an arbitrary host.

Solution: Do not use DNS to resolve "localhost". Instead, explicitly configure all hosts to use for localhost. For Windows, you can check the HOSTS.SAM file (the sample file) in the windows directory. In simple terms, localhost is the alias name for your computers address of which is not routable, and should not be, to the outside world. Firewalls use the Loopback rule so that your computer can pass traffic through itself, and also for testing rules that you have made via your firewall. Make sure your hosts file (Not the HOSTS.SAM file, becuase it is the SAMPLE File) has an entry like below: localhost

Use one space after , and you can even add a space after localhost and enter the "#" sign plus a small comment like: localhost # my computer address ....for a reminder of what the entry is for.

On a side note, when you make a loopback rule, only make it for talking to itself like this: <=> TCP/IP and UDP

The above translates as this: Permit communication to from using BOTH TCP/IP and UDP protocols, BOTH Inbound/Outbound communication. Since you already have the entry in the HOSTS file, localhost will be translated to for security reasons, and will not resolve it's alias name via your ISP's DNS server. IMPORTANT NOTE!: MAKE SURE YOU RENAME THE hosts FILE WITH NO EXTENSION! IN OTHER WORDS, IT WILL HAVE A NAME OF hosts ONLY, WITH NO EXTENSION! THE HOSTS.SAM FILE IS A SAMPLE FILE, NOT THE WORKING hosts FILE!

Cert has also handled incidents that involve automated TFTP attempts. Many of the systems affected were using the TFTP daemon to boot other devices. Filtering TFTP connections would have protected the computers from this attack.

The X windows sockets range from 6000 to 6255.

If your site does not need to provide other services to external users, you should filter them or at least deny them. We also suggest that you filter (telnet port 23) if you need it, (ftp port 21 UDP) and (ftp-data port 20 UDP). The latter two are used for file transfers and normaly use (TCP). Remember, if you don't know which Ports/Services that you should permit, simply DENY them until further research points you in the right direction.

Some of these Rules might not work for your particular needs. Please consult the links at the end of this document for more in depth discussion on PORTS and what they do. Also, if you want the web site Hacker Whacker to scan your system for open ports and possible security issues, you MUST UNBLOCK PORT 4000 in order for it to scan your system.

When in doubt, block BOTH TCP/UDP for a service that you do not know if it uses TCP/IP or UDP protocols. When you do find out which protocol it uses, simply change it to reflect which protocol by editing your rule.

Router Information:

Address Allocation for Private Internets
RFC 1918 requests that organizations make use of the private Internet address space for hosts that require IP connectivity within their enterprise network, but do not require external connections to the global Internet. For this purpose, the IANA has reserved the following three address blocks for private internets: - (10/8 prefix) - (172.16/12 prefix) - (192.168/16 prefix)

Any organization that elects to use addresses from these reserved blocks can do so without contacting the IANA or an Internet registry. Since these addresses are never injected into the global Internet routing system, the address space can simultaneously be used by many different organizations.

The disadvantage to this addressing scheme is that it requires an organization to use a Network Address Translator (NAT) for global Internet access. However, the use of the private address space and a NAT make it much easier for clients to change their ISP without the need to renumber or "punch holes" in a previously aggregated advertisement. The benefits of this addressing scheme to the Internet is that it reduces the demand for IP addresses so large organizations may require only a small block of the globally unique IPv4 address space.

Want to know the low-down on IP stuff?:
IP Information:

xDSL/Cable users should be aware that simply "unplugging" your always-on connection and shutting down your computer while not in use is the safest thing to do. If your computer is not doing any mission critical tasks, and does not need to be operated 24/7, JUST UNPLUG THE MODEM if your ISP permits it.

ANTI-SPOOF: Stop a nasty from hacking your computer, by FAKING they are YOUR COMPUTERS PRIVATE IP ADDRESSES or are the Experimental and UNUSED IP Ranges!

Another very important thing for you Cable/DSL user's, is if you have a Static IP (one that doesn't change) you can make a rule to Block both TCP/IP & UDP Inbound set to your IP Number FROM your IP Number. This way, a Script kiddie cannot Spoof your IP Number and have some bad stuff come down on you (the innocent victim) because some smarty pants stole your IP Number, and went on a spamming e-mail rampage, or worse yet, did something very bad, and they were pretending they were you or used you for an attack. Create Anti-Spoof rules! You should start by blocking IP NUMBERS to these IP NUMBERS in these ranges:

1. Block INBOUND from your IP NUMBER to your IP NUMBER
4. Block INBOUND/OUTBOUND from IANA, assigned NON-ROUTABLE, reserved IP addresses for private networks:
(Block INBOUND/OUTBOUND except for the internal IP NUMBERS that you assign, if you use a Router) - (10/8 prefix) - (172.16/12 prefix) - (192.168/16 prefix)

The following is a list of Source Addresses that should be filtered also: - - Historical Broadcast - RFC 1918 Private Network - Loopback - Link Local Networks - RFC 1918 Private Network - TEST-NET - RFC 1918 Private Network - Class D Multicast - Class E Reserved - Unallocated - Broadcast

Personally, I recommend BLOCKING IP Ranges from: - as outlined above, but more broad, including the Experimental IP's in the 240+ ranges also. is Loopback IP used with, which is normal FROM your computer.

If you are using Network Address Translation (NAT), you need to make sure that you perform this filtering between your NAT device and your ISP, and you should also verify that your NAT device configuration only translates address used and authorized for your internal address space.

NOTE: Please keep in mind that you should only filter those IP NUMBERS which you want to protect for either INBOUND or OUTBOUND communication or BOTH, where warranted. If you block your LAN IP ADDRESS NUMBER "BOTH" ways, some Routers might not work. We suggest that you block it INBOUND ONLY, from itself, below your other rules. The same technique also applies to your LAN/WAN SUBNET MASK IP Numbers. If you have a "STATIC IP", one that does not change from your ISP, we also suggest that you "BLOCK" all other DHCP IP NUMBERS not assigned by your Router. EXAMPLE:

You have a "STATIC IP NUMBER" and do not use the DHCP feature of your Router to assign other IP NUMBERS to other outside clients. You have them "FIXED". Some people do this if they have two or more computers "sharing" the same Router, like the LinkSys BEFSR41/81 Routers. They have a static IP NUMBER, but they do not intend to use file/print sharing between them. They only want "SHARED ACCESS" to the Internet only. They do this in order to setup Multiplayer Games/Simulations on one computer, so they can connect to the other without undo LAG by setting up just one computer, and hogging all of the resources by the same computer. So, what you do is, "BLOCK" any other IP NUMBERS not explicitly permitted access from the outside masquerading as Internal DHCP IP's, thus, trying to "SPOOF" their way in:

Your LAN IP Range: 192.168.1.x -
First Computer:
Second Computer:

With the example above, you know that the only Internal Computers that need access for BOTH INBOUND/OUTBOUND communication are and ALL OTHERS SHOULD BE DENIED WITH THE ACCEPTION OF WHICH IS YOUR LAN IP ADDRESS NUMBER OR ROUTER LOGGING IP NUMBER, IF IMPLEMENTED OR ASSIGNED VIA YOUR ROUTER. The two mentioned Routers above use the LOGGING feature which uses it's own Internal IP NUMBER. If you do not plan on using it, deny it also, and disable that feature in the Router as well.

This technique is not used for "Quick and Dirty DHCP LAN-PARTIES" whereby people use DHCP to setup and run their LAN-PARTIES fast. I do not recommend this approach for security reasons. If you are going to setup a LAN-PARTY, do it the RIGHT WAY, for not only your protection, but for your LAN-GUESTS too!

Useful Links:

Firewalls & Intrusion Detection Software -

Tiny Personal Firewall (FREE):

Norton Internet Security 2001:

BlackICE Defender:

Zone Alarm Firewall (FREE):

Sygate Personal Firewall (FREE):

Conseal PC Firewall:

PGP Gauntlet Firewall: Personal Firewall:

Wingate :

Internet Firewall 2000 :

Microsoft ISAS2000 for Win2K:

Hardware Firewalls -

ZyWall-10 Firewall:

Intel Express 8205 Router (Stateful/VPN Firewall):

LinkSys Routers:

SOHOware BroadGuard Secure Cable/DSL Router (Stateful Firewall):

SonicWALL Firewall/Router:

UGate-3000 Firewall/Router:

NetScreen-5 Firewall:

LuciGate Firewall:

Trendware International TW100-W1CA Firewall/Router:

Router Reviews & INFO:

Firewall Scanning/Testing Web Sites -

Hacker Whacker :

SheildsUp!! :

Virtual Suicide :

WebTrends Security Analyser : :

DSL Reports :

NetCop :

Nmap Security Scan :

Secure Me :

Sygate Tech :

Related Web Sites & INFO -

Firewall Info :

Intrusion Detection Info :

Internet Privacy :

CERT Win95/98 Security:

Forum of Incident Response and Security Teams :

Port Numbers :

Microsoft Security :

WWW Security :

Finjan :

Smart Watch OS Encryption and File Monitoring:

Firewall Info :

Firewall Info :

AntiOnline :

ClearICE :

Computer Security and LAW : :

Internet Corporation for Assigned Names and Numbers :

Attack, Hacking, and Exploit Information :

National Infrastructure Protection Center :


SANS Institute Online : : :

TerraNetworks :

Web AD Blocking :

WebGuardian :

ICSA Information Security :

ZDNet PC Week - Security :,10227,6007271,00.html

VeriSign :

MS Proxy Server Security Paper :

NT Security FAQ :

RFC2196 - Site Security Handbook :

RootShell :

Security and Encryption Resources :

Intrusion Detection Systems :

This document has been prepared for the typical, normal, everyday user of the Internet which uses Win95/98+ systems. Arming yourself with the proper knowledge about the Internet, and how it works, is the safest thing to do. Keeping your Operating System, Anti-Virus, Firewall and Intrusion Detection software current, and up to date, is the number one priority for the home user against threats from the Internet, or offline. We HIGHLY suggest that you browse the provided links for more indepth analysis concerning these issues, as well as reading and understanding the software/hardware that you use to combat these possible threats. This document does not garantee that it is 100 percent accurate, implied or otherwise. It is YOUR JOB to research these issues, and implement what YOU think is necessary to insure a happy and safe Internet experience. The links provided are for your reference and may change. Please insure that you visit your favorites from time to time in case they change their linked locations in order to keep you current on that particular web sites changes, if any.

Acronyms and Abbreviations

ARP - Address Resolution Protocol
ARPANET - Advanced Research Projects Agency Network
ASCII - American Standard Code for Information Interchange
ATM - Asynchronous Transfer Mode
BGP - Border Gateway Protocol
BSD - Berkeley Software Development
CCITT - International Telegraph and Telephone Consultative Committee
CERT - Computer Emergency Response Team
CIX - Commercial Internet Exchange
DARPA - Defense Advanced Research Projects Agency
DNS - Domain Name System
DoD - U.S. Department of Defense
FAQ - Frequently Asked Questions
FDDI - Fiber Distributed Data Interface
FTP - File Transfer Protocol
FYI - For Your Information
GOSIP - U.S. Government Open Systems Interconnection Profile
HTML - Hypertext Markup Language
HTTP - Hypertext Transfer Protocol
HTTPS - Hypertext Trasfer Protocol Secure
IAB - Internet Activities Board
IANA - Internet Assigned Numbers Authority
ICMP - Internet Control Message Protocol
IDS - Intrusion Detection System/Software
IESG - Internet Engineering Steering Group
IETF - Internet Engineering Task Force
IGMP - Internet Group Message Protocol
IP - Internet Protocol
ISO - International Organization for Standardization
ISOC - Internet Society
ISP - Internet Service Provider
ISS - Internet Security Scanner
ITU-T - International Telecommunication Union Telecommunication Standardization Sector
MAC - Medium (or media) access control
Mbps - Megabits (millions of bits) per second
NAT - Network Address Translation
NICNAME - Network Information Center Name Service
NSF - National Science Foundation
NSFNET - National Science Foundation Network
NMAP - Popular Port Scanning Program
OSI - Open Systems Interconnection
OSPF - Open Shortest Path First
PCMCIA - Personal Computer Memory Card International Association
PPP - Point-to-Point Protocol
RARP - Reverse Address Resolution Protocol
RIP - Routing Information Protocol
RIP2 - Routing Information Protocol 2
RFC - Request For Comments
SATAN - Security Analysis Tool for Auditing Networks
SLIP - Serial Line IP
SMDS - Switched Multimegabit Data Service
SMTP - Simple Mail Transfer Protocol
SNMP - Simple Network Management Protocol
STD - Internet Standards series of RFC's
TCP - Transmission Control Protocol
TLD - Top-Level Domain
UDP - User Datagram Protocol

This document is what IANA calls a "living document". What that simply means,
is that Services/Ports can change from day to day by assignments to companies
that request Services/Port assignments from IANA. What the user must know, is
that this list will/can change from day to day. It is the end users responsibility
to check and recheck with IANA regarding these changes in order to keep current
with IANA assignments. You can get updated information regarding these changes
from IANA at:

This document will first start with Services/Ports for Windows users. These are
the common ports, but please remember, that these too, can change in the future
when new technologies require them. Window users also have a file located on their
computers called the SERVICES file. This file also contains services/ports that
it uses, if any, by the individual that requires them. You can view this file
with any .txt editor or even Wordpad to view them. We HIGHLY SUGGEST that people
print out this document and add/update these services/port assignments to keep
current with new technologies that get updated by IANA and/or the appropriate
authorities that will assign them in the future.

Below you will find some ports that firewalls use for Windows users:

http 80 HTTP
www 80 HTTP
www-http 80 HTTP
http-alt 800 HTTP
http-alt-1 8008 HTTP
http-proxy 8080 Often used as HTTP proxy
http-proxy-1 8088 Often used as HTTP proxy
http-mgmt 280 HTTP management
https 443 HTTPS server
gss-http 488 HTTP misc
fmpro-http 591 HTTP misc
ftp-data 20 File Transfer
ftp 21 File Transfer
http-rpc-epmap 593 HTTP misc
bootps 67 Bootstrap Protocol Server
bootpc 68 Bootstrap Protocol Client
dcom 135 Microsoft RPC end point to end point mapping
ldap 389 Lightweight Directory Access Protocol
video 458 Connectix and Quick Time Streaming protocols
video-1 545 Connectix and Quick Time Streaming protocols
rtsp 554 Real Time Stream Protocol
mountd 709 NFS mount daemon
pcnfsd 721 PC NFS Daemon
irc 194 Internet Relay Chat protocol
irc-serv 529 Internet Relay Chat protocol
ircs 994 Internet Relay Chat protocol
ircu 6665 Internet Relay Chat protocol
ircu-1 6666 Internet Relay Chat protocol
ircu-2 6667 Internet Relay Chat protocol
ircu-3 6668 Internet Relay Chat protocol
ircu-4 6669 Internet Relay Chat protocol
socks 1080 Socks
lotusnote 1352 Lotus
ms-sql-s 1433 Microsoft misc
ms_sql-m 1434 Microsoft misc
ms-sna-server 1477 Microsoft misc
ms-sna-base 1478 Microsoft misc
orasrv 1525 Oracle
tdisrv 1527 Oracle
coauthor 1529 Oracle
nsvt 1537 HP's NSVT native protocol
nsvt-stream 1570 HP's NSVT TCP stream mode
remote-winsock 1745 Remote Winsock Proxy
netshow 1755 Microsoft's NetShow
SMTP 25 Simple Mail Transfer
telnet 23 Telnet
Pop3 110 Post Office Protocol
icq 4000 ICQ chat program
aol 5190 America Online
aol-1 5191 America Online
aol-2 5192 America Online
aol-3 5193 America Online
aol-4 11523 America Online
pc-anywhere-data 5631 pcAnywhere data port
pc-anywhere-status 5632 pcAnywhere status port
xserver 6000 X Server
vdolive 7000 VDOLive Player
msbd 7007 Microsoft MSBD (related to NetShow)
realaudio 7070 Real Networks Real Audio
quake 26000 Quake server game
quake2 27910 Quake2 server game
quake2-2 27911 Quake2 server game

Common Windows SERVICES file, RFC 1060 (Assigned Numbers):

echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote
qotd 17/udp quote
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
rlp 39/udp resource # resource location
name 42/tcp nameserver
name 42/udp nameserver
whois 43/tcp nicname # usually to sri-nic
domain 53/tcp nameserver # name-domain server
domain 53/udp nameserver
nameserver 53/tcp domain # name-domain server
nameserver 53/udp domain
mtp 57/tcp # deprecated
bootp 67/udp # boot program server
tftp 69/udp
rje 77/tcp netrjs
finger 79/tcp
link 87/tcp ttylink
supdup 95/tcp
hostnames 101/tcp hostname # usually from sri-nic
iso-tsap 102/tcp
dictionary 103/tcp webster
x400 103/tcp # ISO Mail
x400-snd 104/tcp
csnet-ns 105/tcp
pop 109/tcp postoffice
pop2 109/tcp # Post Office
pop3 110/tcp postoffice
portmap 111/tcp
portmap 111/udp
sunrpc 111/tcp
sunrpc 111/udp
auth 113/tcp authentication
sftp 115/tcp
path 117/tcp
uucp-path 117/tcp
nntp 119/tcp usenet # Network News Transfer
ntp 123/udp ntpd ntp # network time protocol (exp)
nbname 137/udp
nbdatagram 138/udp
nbsession 139/tcp
NeWS 144/tcp news
sgmp 153/udp sgmp
tcprepo 158/tcp repository # PCMAIL
snmp 161/udp snmp
snmp-trap 162/udp snmp
print-srv 170/tcp # network PostScript
vmnet 175/tcp
load 315/udp
vmnet0 400/tcp
sytek 500/udp
biff 512/udp comsat
exec 512/tcp
login 513/tcp
who 513/udp whod
shell 514/tcp cmd # no passwords used
syslog 514/udp
printer 515/tcp spooler # line printer spooler
talk 517/udp
ntalk 518/udp
efs 520/tcp # for LucasFilm
route 520/udp router routed
timed 525/udp timeserver
tempo 526/tcp newdate
courier 530/tcp rpc
conference 531/tcp chat
rvd-control 531/udp MIT disk
netnews 532/tcp readnews
netwall 533/udp # -for emergency broadcasts
uucp 540/tcp uucpd # uucp daemon
klogin 543/tcp # Kerberos authenticated rlogin
kshell 544/tcp cmd # and remote shell
new-rwho 550/udp new-who # experimental
remotefs 556/tcp rfs_server rfs# Brunhoff remote filesystem
rmonitor 560/udp rmonitord # experimental
monitor 561/udp # experimental
garcon 600/tcp
maitrd 601/tcp
busboy 602/tcp
acctmaster 700/udp
acctslave 701/udp
acct 702/udp
acctlogin 703/udp
acctprinter 704/udp
elcsd 704/udp # errlog
acctinfo 705/udp
acctslave2 706/udp
acctdisk 707/udp
kerberos 750/tcp kdc # Kerberos authentication--tcp
kerberos 750/udp kdc # Kerberos authentication--udp
kerberos_master 751/tcp # Kerberos authentication
kerberos_master 751/udp # Kerberos authentication
passwd_server 752/udp # Kerberos passwd server
userreg_server 753/udp # Kerberos userreg server
krb_prop 754/tcp # Kerberos slave propagation
erlogin 888/tcp # Login and environment passing
kpop 1109/tcp # Pop with Kerberos
phone 1167/udp
ingreslock 1524/tcp
maze 1666/udp
nfs 2049/udp # sun nfs
knetd 2053/tcp # Kerberos de-multiplexor
eklogin 2105/tcp # Kerberos encrypted rlogin
rmt 5555/tcp rmtd
mtb 5556/tcp mtbd # mtb backup
man 9535/tcp # remote man server
w 9536/tcp
mantst 9537/tcp # remote man server, testing
bnews 10000/tcp
rscs0 10000/udp
queue 10001/tcp
rscs1 10001/udp
poker 10002/tcp
rscs2 10002/udp
gateway 10003/tcp
rscs3 10003/udp
remp 10004/tcp
rscs4 10004/udp
rscs5 10005/udp
rscs6 10006/udp
rscs7 10007/udp
rscs8 10008/udp
rscs9 10009/udp
rscsa 10010/udp
rscsb 10011/udp
qmaster 10012/tcp
qmaster 10012/udp

ICMP Protocol & it's Codes:

Type: Name: Codes:
0 Echo Reply 0 - none
1 Unassigned  
2 Unassigned  
3 Destination Unreachable 0 - Net unreachable
    1 - Host unreachable
    2 - Protocol unreachable
    3 - Port unreachable
    4 - Fragmentation needed and DF bit set
    5 - Source route failed
    6 - Destination network unknown
    7 - Destination host unknown
    8 - Source host isolated
    9 - Communication with destination network is administratively prohibited
    10 - Communication with destination host is administratively prohibited
    11 - Destination network unreachable for TOS
    12 - Destination host unreachable for TOS
4 Source Quench 0 - none
5 Redirect 0 - Redirect datagram for the network
    1 - Redirect datagram for the host
    2 - Redirect datagram for the TOS and network
    3 - Redirect datagram for the TOS and host
6 Alternate Host Address 0 - Alternate address for host
7 Unassigned  
8 Echo 0 - None
9 Router Advertisement 0 - None
10 Router Selection 0 - None
11 Time Exceeded 0 - Time to live exceeded in transit
    1 - Fragment reassembly time exceeded
12 Parameter Problem 0 - Pointer indicates the error
    1 - Missing a required option
    2 - Bad length
13 Timestamp 0 - None
14 Timestamp Reply 0 - None
15 Information Request 0 - None
16 Information Reply 0 - None
17 Address Mask Request 0 - None
18 Address Mask Reply 0 - None
19 Reserved (for security)  
20-29 Reserved (for robustness experiment)  
30 Traceroute  
31 Datagram Conversion Error  
32 Mobile Host Redirect  
33 IPv6 where-are-you  
34 IPv6 I-am-here  
35 Mobile Registration Request  
36 Mobile Registration Reply  
37-255 Reserved  

Below you will find those wacky IP NUMBERS you always wanted to know about,
but could not find the info on. The ICMP Protocol uses some of these, which
report back to IANA when your computer broadcasts with outbound communication.
Most of the time, you will see these when you use a Router or bootup your
computer. Remember, these can change also.


Host Extensions for IP Multicasting [RFC1112] specifies the extensions
required of a host implementation of the Internet Protocol (IP) to
support multicasting. The multicast addressess are in the range through Current addresses are listed below.

The range of addresses between and, inclusive,
is reserved for the use of routing protocols and other low-level
topology discovery or maintenance protocols, such as gateway discovery
and group membership reporting. Multicast routers should not forward
any multicast datagram with destination addresses in this range,
regardless of its TTL. Base Address (Reserved) All Systems on this Subnet All Routers on this Subnet Unassigned DVMRP Routers OSPFIGP OSPFIGP All Routers OSPFIGP OSPFIGP Designated Routers ST Routers ST Hosts RIP2 Routers IGRP Routers Mobile-Agents DHCP Server/Relay Agent All PIM Routers RSVP-ENCAPSULATION all-cbt-routers designated-sbm all-sbms VRRP IPAllL1ISs IPAllL2ISs IPAllIntermediate Systems IGMP GLOBECAST-ID Unassigned router-to-switch Unassigned Al MPP Hello ETC Control GE-FANUC indigo-vhdp shinbroadband digistar ff-system-management pt2-discover DXCLUSTER Unassigned mDNS Unassigned VMTP Managers Group NTP Network Time Protocol SGI-Dogfight Rwhod VNP Artificial Horizons - Aviator NSS - Name Service Server AUDIONEWS - Audio News Multicast SUN NIS+ Information Service MTP Multicast Transport Protocol IETF-1-LOW-AUDIO IETF-1-AUDIO IETF-1-VIDEO IETF-2-LOW-AUDIO IETF-2-AUDIO IETF-2-VIDEO MUSIC-SERVICE SEANET-TELEMETRY SEANET-IMAGE MLOADD any private experiment DVMRP on MOSPF SVRLOC XINGTV microsoft-ds nbc-pro nbc-pfn lmsc-calren-1 lmsc-calren-2 lmsc-calren-3 lmsc-calren-4 ampr-info mtrace RSVP-encap-1 RSVP-encap-2 SVRLOC-DA rln-server proshare-mc dantz cisco-rp-announce cisco-rp-discovery gatekeeper iberiagames nwn-discovery nwn-adaptor isma-1 isma-2 telerate ciena dcap-servers dcap-clients mcntp-directory mbone-vcr-directory heartbeat sun-mc-grp extended-sys pdrncs tns-adv-multi vcals-dmu zuba hp-device-disc tms-production sunscalar mmtp-poll compaq-peer iapp multihasc-com serv-discovery mdhcpdisover MMP-bundle-discovery1 MMP-bundle-discovery2 XYPOINT DGPS Data Feed GilatSkySurfer SharesLive NorthernData SIP IAPP AGENTVIEW Tibco Multicast1 Tibco Multicast2 MSP OTT (One-way Trip Time) TRACKTICKER dtn-mc jini-announcement jini-request sde-discovery DirecPC-SI B1RMonitor 3Com-AMP3 dRMON imFtmSvc NQDS4 NQDS5 NQDS6 NLVL12 NTDS1 NTDS2 NODSA NODSB NODSC NODSD NQDS4R NQDS5R NQDS6R NLVL12R NTDS1R NTDS2R NODSAR NODSBR NODSCR NODSDR MRM TVE-FILE TVE-ANNOUNCE Mac Srv Loc Simple Multicast SpectraLinkGW dieboldmcast Tivoli Systems pq-lic-mcast HYPERFEED Pipesplatform LiebDevMgmg-DM TRIBALVOICE UDLR-DTCP PolyCom Relay1 Infront Multi1 XRX DEVICE DISC CNN PTP-primary PTP-alternate1 PTP-alternate2 PTP-alternate3 ProCast 3Com Discp CS-Multicasting TS-MC-1 Make Source Teleborsa SUMAConfig Unassigned DHCP-SERVERS CN Router-LL EMWIN Alchemy Cluster Satcast One Satcast Two Satcast Three Intline 8x8 Multicast Unassigned Intline-1 Intline-2 Intline-3 Intline-4 Intline-5 Intline-6 Intline-7 Intline-8 Intline-9 Intline-10 Intline-11 Intline-12 Intline-13 Intline-14 Intline-15 marratech-cc EMS-InterDev itb301 rtv-audio rtv-video HAVI-Sim Unassigned "rwho" Group (BSD) (unofficial) SUN RPC PMAPPROC_CALLIT SIAC MDD Service CoolCast WOZ-Garage SIAC MDD Market Service RFE Generic Service RFE Individual Conferences CDPD Groups SIAC Market Service Unassigned [IANA] Cornell ISIS Project Unassigned [IANA] Where-Are-You INTV Invisible Worlds DLSw Groups NCC.NET Audio Microsoft and MSNBC UUNET PIPEX Net News NLANR Hewlett Packard XingNet Mercantile & Commodity Exchange NDQMD1 ODN-DTV Dow Jones Walt Disney Company Cal Multicast SIAC Market Service IIG Multicast Metropol Xenoscience, Inc. HYPERFEED MS-IP/TV Reliable Network Solutions TRACKTICKER Group CNR Rebroadcast MCA Talarian MCAST WORLD MCAST Domain Scoped Group Report Group Query Group Border Routers ST Multicast Groups Multimedia Conference Calls SAPv1 Announcements SAPv0 Announcements (deprecated) SAP Dynamic Assignments DIS transient groups MALLOC (temp - renew 1/01) VMTP transient groups, see single-source-multicast file Static Allocations (temp - renew 6/01) Administratively Scoped [IANA,RFC2365] Reserved [IANA] Reserved [IANA] Reserved [IANA] Organization-Local Scope Site-Local Scope (reserved) Site-Local Scope (reserved) Site-Local Scope (reserved) Site-Local Scope rasadv

There is a concept of relative addresses to be used with the scoped
multicast addresses. These relative addresses are listed here:

Relative Description
--------- ---------------------------------------
  0 SAP Session Announcement Protocol
  1 MADCAP Protocol
  2 SLPv2 Discovery
  3 MZAP
  4 Multicast Discovery of DNS Services [Manning]
  5 SSDP
  6 DHCP v4
  7 AAP
  8-252 Reserved - To be assigned by the IANA
  253 Reserved
  254-255 Reserved - To be assigned by the IANA

These addresses are listed in the Domain Name Service under MCAST.NET
and 224.IN-ADDR.ARPA.

Note that when used on an Ethernet or IEEE 802 network, the 23
low-order bits of the IP Multicast address are placed in the low-order
23 bits of the Ethernet or IEEE 802 net multicast address See the section on "IANA ETHERNET ADDRESS BLOCK".




The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151.

The Dynamic and/or Private Ports are those from 49152 through 65535.


The Well Known Ports are assigned by the IANA and on most systems can
only be used by system (or root) processes or by programs executed by
privileged users.

Ports are used in the TCP [RFC793] to name the ends of logical
connections which carry long term conversations. For the purpose of
providing services to unknown callers, a service contact port is
defined. This list specifies the port used by the server process as
its contact port. The contact port is sometimes called the
"well-known port".

To the extent possible, these same port assignments are used with the
UDP [RFC768].

The assigned ports use a small portion of the possible port numbers.
For many years the assigned ports were in the range 0-255. Recently,
the range for assigned ports managed by the IANA has been expanded to
the range 0-1023.

Remember to check with IANA for any changes at:

This file contains the Internet protocols as defined by RFC 1060 Assigned Numbers. A file called PROTOCOL in the Windows sub-directory:

Format: protocol name.....assigned number.....aliases.....comment

ip..............0........IP................Internet protocol
icmp..........1........ICMP...........Internet control message protocol
ggp...........3........GGP.............Gateway-gateway protocol
tcp............6........TCP.............Transmission control protocol
egp...........8........EGP.............Exterior gateway protocol
pup...........12......PUP.............PARC universal packet protocol
udp...........17......UDP.............User datagram protocol
hmp..........20......HMP.............Host monitoring protocol
xns-idp.....22......XNS-IDP.......Xerox NS IDP
rdp...........27......RDP..............reliable datagram protocol
rvd...........66......RVD..............MIT remote virtual disk

PROTOCOL NUMBERS In the Internet Protocol version 4 (IPv4) [RFC791] there is a field, called "Protocol", to identify the next level protocol. This is an 8 bit field. In Internet Protocol version 6 (IPv6) [RFC1883] this field is called the "Next Header" field. Assigned Internet Protocol Numbers: Decimal Keyword Protocol References ------- ------- -------- ---------- 0 HOPOPT IPv6 Hop-by-Hop Option [RFC1883] 1 ICMP Internet Control Message [RFC792] 2 IGMP Internet Group Management [RFC1112] 3 GGP Gateway-to-Gateway [RFC823] 4 IP IP in IP (encapsulation) [RFC2003] 5 ST Stream [RFC1190,RFC1819] 6 TCP Transmission Control [RFC793] 7 CBT CBT [Ballardie] 8 EGP Exterior Gateway Protocol [RFC888,DLM1] 9 IGP any private interior gateway [IANA] (used by Cisco for their IGRP) 10 BBN-RCC-MON BBN RCC Monitoring [SGC] 11 NVP-II Network Voice Protocol [RFC741,SC3] 12 PUP PUP [PUP,XEROX] 13 ARGUS ARGUS [RWS4] 14 EMCON EMCON [BN7] 15 XNET Cross Net Debugger [IEN158,JFH2] 16 CHAOS Chaos [NC3] 17 UDP User Datagram [RFC768,JBP] 18 MUX Multiplexing [IEN90,JBP] 19 DCN-MEAS DCN Measurement Subsystems [DLM1] 20 HMP Host Monitoring [RFC869,RH6] 21 PRM Packet Radio Measurement [ZSU] 22 XNS-IDP XEROX NS IDP [ETHERNET,XEROX] 23 TRUNK-1 Trunk-1 [BWB6] 24 TRUNK-2 Trunk-2 [BWB6] 25 LEAF-1 Leaf-1 [BWB6] 26 LEAF-2 Leaf-2 [BWB6] 27 RDP Reliable Data Protocol [RFC908,RH6] 28 IRTP Internet Reliable Transaction [RFC938,TXM] 29 ISO-TP4 ISO Transport Protocol Class 4 [RFC905,RC77] 30 NETBLT Bulk Data Transfer Protocol [RFC969,DDC1] 31 MFE-NSP MFE Network Services Protocol [MFENET,BCH2] 32 MERIT-INP MERIT Internodal Protocol [HWB] 33 SEP Sequential Exchange Protocol [JC120] 34 3PC Third Party Connect Protocol [SAF3] 35 IDPR Inter-Domain Policy Routing Protocol [MXS1] 36 XTP XTP [GXC] 37 DDP Datagram Delivery Protocol [WXC] 38 IDPR-CMTP IDPR Control Message Transport ProtoCOL[MXS1] 39 TP++ TP++ Transport Protocol [DXF] 40 IL IL Transport Protocol [Presotto] 41 IPv6 Ipv6 [Deering] 42 SDRP Source Demand Routing Protocol [DXE1] 43 IPv6-Route Routing Header for IPv6 [Deering] 44 IPv6-Frag Fragment Header for IPv6 [Deering] 45 IDRP Inter-Domain Routing Protocol [Sue Hares] 46 RSVP Reservation Protocol [Bob Braden] 47 GRE General Routing Encapsulation [Tony Li] 48 MHRP Mobile Host Routing Protocol [David Johnson] 49 BNA BNA [Gary Salamon] 50 ESP Encap Security Payload for IPv6 [RFC1827] 51 AH Authentication Header for IPv6 [RFC1826] 52 I-NLSP Integrated Net Layer Security TUBA [GLENN] 53 SWIPE IP with Encryption [JI6] 54 NARP NBMA Address Resolution Protocol [RFC1735] 55 MOBILE IP Mobility [Perkins] 56 TLSP Transport Layer Security Protocol [Oberg] using Kryptonet key management 57 SKIP SKIP [Markson] 58 IPv6-ICMP ICMP for IPv6 [RFC1883] 59 IPv6-NoNxt No Next Header for IPv6 [RFC1883] 60 IPv6-Opts Destination Options for IPv6 [RFC1883] 61 any host internal protocol [IANA] 62 CFTP CFTP [CFTP,HCF2] 63 any local network [IANA] 64 SAT-EXPAK SATNET and Backroom EXPAK [SHB] 65 KRYPTOLAN Kryptolan [PXL1] 66 RVD MIT Remote Virtual Disk Protocol [MBG] 67 IPPC Internet Pluribus Packet Core [SHB] 68 any distributed file system [IANA] 69 SAT-MON SATNET Monitoring [SHB] 70 VISA VISA Protocol [GXT1] 71 IPCV Internet Packet Core Utility [SHB] 72 CPNX Computer Protocol Network Executive [DXM2] 73 CPHB Computer Protocol Heart Beat [DXM2] 74 WSN Wang Span Network [VXD] 75 PVP Packet Video Protocol [SC3] 76 BR-SAT-MON Backroom SATNET Monitoring [SHB] 77 SUN-ND SUN ND PROTOCOL-Temporary [WM3] 78 WB-MON WIDEBAND Monitoring [SHB] 79 WB-EXPAK WIDEBAND EXPAK [SHB] 80 ISO-IP ISO Internet Protocol [MTR] 81 VMTP VMTP [DRC3] 82 SECURE-VMTP SECURE-VMTP [DRC3] 83 VINES VINES [BXH] 84 TTP TTP [JXS] 85 NSFNET-IGP NSFNET-IGP [HWB] 86 DGP Dissimilar Gateway Protocol [DGP,ML109] 87 TCF TCF [GAL5] 88 EIGRP EIGRP [CISCO,GXS] 89 OSPFIGP OSPFIGP [RFC1583,JTM4] 90 Sprite-RPC Sprite RPC Protocol [SPRITE,BXW] 91 LARP Locus Address Resolution Protocol [BXH] 92 MTP Multicast Transport Protocol [SXA] 93 AX.25 AX.25 Frames [BK29] 94 IPIP IP-within-IP Encapsulation Protocol [JI6] 95 MICP Mobile Internetworking Control Pro. [JI6] 96 SCC-SP Semaphore Communications Sec. Pro. [HXH] 97 ETHERIP Ethernet-within-IP Encapsulation [RDH1] 98 ENCAP Encapsulation Header [RFC1241,RXB3] 99 any private encryption scheme [IANA] 100 GMTP GMTP [RXB5] 101 IFMP Ipsilon Flow Management Protocol [Hinden] 102 PNNI PNNI over IP [Callon] 103 PIM Protocol Independent Multicast [Farinacci] 104 ARIS ARIS [Feldman] 105 SCPS SCPS [Durst] 106 QNX QNX [Hunter] 107 A/N Active Networks [Braden] 108 IPComp IP Payload Compression Protocol [RFC2393] 109 SNP Sitara Networks Protocol [Sridhar] 110 Compaq-Peer Compaq Peer Protocol [Volpe] 111 IPX-in-IP IPX in IP [Lee] 112 VRRP Virtual Router Redundancy Protocol [Hinden] 113 PGM PGM Reliable Transport Protocol [Speakman] 114 any 0-hop protocol [IANA] 115 L2TP Layer Two Tunneling Protocol [Aboba] 116 DDX D-II Data Exchange (DDX) [Worley] 117 IATP Interactive Agent Transfer Protocol [Murphy] 118 STP Schedule Transfer Protocol [JMP] 119 SRP SpectraLink Radio Protocol [Hamilton] 120 UTI UTI [Lothberg] 121 SMP Simple Message Protocol [Ekblad] 122 SM SM [Crowcroft] 123 PTP Performance Transparency Protocol [Welzl] 124 ISIS over IPv4 [Przygienda] 125 FIRE [Partridge] 126 CRTP Combat Radio Transport Protocol [Sautter] 127 CRUDP Combat Radio User Datagram [Sautter] 128 SSCOPMCE [Waber] 129 IPLT [Hollbach] 130 SPS Secure Packet Shield [McIntosh] 131 PIPE Private IP Encapsulation within IP [Petri] 132 SCTP Stream Control Transmission Protocol[Stewart] 133 FC Fibre Channel Rajagopal] 134 RSVP-E2E-IGNORE [RFCXXXX] 135-254 Unassigned [IANA] 255 Reserved [IANA]


These are the Official Protocol Names as they appear in the Domain Name System WKS records and the NIC Host Table. Their use is described in [RFC952].

A protocol or service may be up to 40 characters taken from the set of uppercase letters, digits, and the punctuation character hyphen. It must start with a letter, and end with a letter or digit.

ARGUS - ARGUS Protocol
ARP - Address Resolution Protocol
AUTH - Authentication Service
BBN-RCC-MON - BBN RCC Monitoring
BL-IDM - Britton Lee Intelligent Database Machine
BOOTP - Bootstrap Protocol
BOOTPC - Bootstrap Protocol Client
BOOTPS - Bootstrap Protocol Server
BR-SAT-MON - Backroom SATNET Monitoring
CHAOS - CHAOS Protocol
CHARGEN - Character Generator Protocol
CLOCK - DCNET Time Server Protocol
CMOT - Common Mgmnt Info Ser and Prot over TCP/IP
COOKIE-JAR - Authentication Scheme
CSNET-NS - CSNET Mailbox Nameserver Protocol
DAYTIME - Daytime Protocol
DCN-MEAS - DCN Measurement Subsystems Protocol
DCP - Device Control Protocol
DGP - Dissimilar Gateway Protocol
DISCARD - Discard Protocol
DMF-MAIL - Digest Message Format for Mail
DOMAIN - Domain Name System
ECHO - Echo Protocol
EGP - Exterior Gateway Protocol
EHF-MAIL - Encoding Header Field for Mail
EMCON - Emission Control Protocol
EMFIS-CNTL - EMFIS Control Service
FCONFIG - Fujitsu Config Protocol
FINGER - Finger Protocol
FTP - File Transfer Protocol
FTP-DATA - File Transfer Protocol Data
GGP - Gateway Gateway Protocol
GRAPHICS - Graphics Protocol
HMP - Host Monitoring Protocol
HOST2-NS - Host2 Name Server
HOSTNAME - Hostname Protocol
ICMP - Internet Control Message Protocol
IGMP - Internet Group Management Protocol
IGP - Interior Gateway Protocol
IMAP2 - Interim Mail Access Protocol version 2
IP - Internet Protocol
IPCU - Internet Packet Core Utility
IPPC - Internet Pluribus Packet Core
IP-ARC - Internet Protocol on ARCNET
IP-ARPA - Internet Protocol on ARPANET
IP-CMPRS - Compressing TCP/IP Headers
IP-DC - Internet Protocol on DC Networks
IP-DVMRP - Distance Vector Multicast Routing Protocol
IP-E - Internet Protocol on Ethernet Networks
IP-EE - Internet Protocol on Exp. Ethernet Nets
IP-FDDI - Transmission of IP over FDDI
IP-HC - Internet Protocol on Hyperchannnel
IP-IEEE - Internet Protocol on IEEE 802
IP-IPX - Transmission of 802.2 over IPX Networks
IP-MTU - IP MTU Discovery Options
IP-NETBIOS - Internet Protocol over NetBIOS Networks
IP-SLIP - Transmission of IP over Serial Lines
IP-WB - Internet Protocol on Wideband Network
IP-X25 - Internet Protocol on X.25 Networks
IRTP - Internet Reliable Transaction Protocol
ISI-GL - ISI Graphics Language Protocol
ISO-TP4 - ISO Transport Protocol Class 4
LA-MAINT - IMP Logical Address Maintenance
LARP - Locus Address Resoultion Protocol
LDP - Loader Debugger Protocol
LEAF-1 - Leaf-1 Protocol
LEAF-2 - Leaf-2 Protocol
LINK - Link Protocol
LOC-SRV - Location Service
LOGIN - Login Host Protocol
MAIL - Format of Electronic Mail Messages
MERIT-INP - MERIT Internodal Protocol
METAGRAM - Metagram Relay
MIB - Management Information Base
MFE-NSP - MFE Network Services Protocol
MIT-SUBNET - MIT Subnet Support
MIT-DOV - MIT Dover Spooler
MPM - Internet Message Protocol (Multimedia Mail)
MPM-FLAGS - MPM Flags Protocol
MPM-SND - MPM Send Protocol
MSG-AUTH - MSG Authentication Protocol
MSG-ICP - MSG ICP Protocol
MUX - Multiplexing Protocol
NAMESERVER - Host Name Server
NETBIOS-DGM - NETBIOS Datagram Service
NETBLT - Bulk Data Transfer Protocol
NETED - Network Standard Text Editor
NETRJS - Remote Job Service
NI-FTP - NI File Transfer Protocol
NI-MAIL - NI Mail Protocol
NICNAME - Who Is Protocol
NFILE - A File Access Protocol
NNTP - Network News Transfer Protocol
NSW-FE - NSW User System Front End
NTP - Network Time Protocol
NVP-II - Network Voice Protocol
OSPF - Open Shortest Path First Interior GW Protocol
PCMAIL - Pcmail Transport Protocol
POP2 - Post Office Protocol - Version 2
POP3 - Post Office Protocol - Version 3
PPP - Point-to-Point Protocol
PRM - Packet Radio Measurement
PUP - PUP Protocol
PWDGEN - Password Generator Protocol
QUOTE - Quote of the Day Protocol
RARP - A Reverse Address Resolution Protocol
RATP - Reliable Asynchronous Transfer Protocol
RE-MAIL-CK - Remote Mail Checking Protocol
RDP - Reliable Data Protocol
RIP - Routing Information Protocol
RJE - Remote Job Entry
RLP - Resource Location Protocol
RTELNET - Remote Telnet Service
RVD - Remote Virtual Disk Protocol
SAT-EXPAK - Satnet and Backroom EXPAK
SAT-MON - SATNET Monitoring
SEP - Sequential Exchange Protocol
SFTP - Simple File Transfer Protocol
SGMP - Simple Gateway Monitoring Protocol
SNMP - Simple Network Management Protocol
SMI - Structure of Management Information
SMTP - Simple Mail Transfer Protocol
SQLSRV - SQL Service
STP - Stream Protocol
STATSRV - Statistics Service
SU-MIT-TG - SU/MIT Telnet Gateway Protocol
SUN-RPC - SUN Remote Procedure Call
SUR-MEAS - Survey Measurement
SWIFT-RVF - Remote Virtual File Protocol
TACACS-DS - TACACS-Database Service
TCP - Transmission Control Protocol
TCP-ACO - TCP Alternate Checksum Option
TELNET - Telnet Protocol
TFTP - Trivial File Transfer Protocol
THINWIRE - Thinwire Protocol
TIME - Time Server Protocol
TP-TCP - ISO Transport Service on top of the TCP
TRUNK-1 - Trunk-1 Protocol
TRUNK-2 - Trunk-2 Protocol
UCL - University College London Protocol
UDP - User Datagram Protocol
NNTP - Network News Transfer Protocol
USERS - Active Users Protocol
UUCP-PATH - UUCP Path Service
VIA-FTP - VIA Systems-File Transfer Protocol
VISA - VISA Protocol
VMTP - Versatile Message Transaction Protocol
WB-MON - Wideband Monitoring
XNET - Cross Net Debugger

Do you still feel Safe on the Internet???


This Web Site is not responsible for the content at any of the external sites that we link to (including sponsors) and therefore, are not necessarily endorsed by us. Graphics, programming, copyrights, and trademarks other than that provided by Thomas P. Herrod, belong to their respected owners.

*** Copyright © 1997-2001 By: Thomas P. Herrod -All Rights Reserved- ***