Got it

Question about server mapping on Firewall USG 6330

Created: Apr 16, 2021 18:56:57Latest reply: Apr 29, 2021 14:56:47 95 6 0 0 0
  HiCoins as reward: 0 (problem unresolved)

Hello,


I would like to know if ports added to the server mapping list [NAT Policy] are open to the Internet? Do they expose the internal network?


Here is an example:

Port range

Are these 225 ports (range 38775-39000) safe to be open?

This is just an example. We have ranges form 20010 to 32010 (UDP) and many others. Is this safe or not? Do they get open when they are needed or they are always opened?


Thank you in advance!


  • x
  • convention:

Featured Answers
DDSN
Admin Created Apr 17, 2021 02:18:50

Hi IvoK,
TCP and UDP are used to connect two devices over the Internet or other networks. However, to give data packages an entrance to the PC or server at the other end of the connection, the “doors” have to be open. These openings into the system are called ports.
When communicating via the Internet, the two protocols TCP and UDP establish the connection, compile data packages again after the transfer, and then hand them over to the programs addressed on the recipient’s device. For this handover to work, the operating system must create entrances and open them for the transfer. Every entrance has a specific code number. After the transfer, the receiving system knows where the data has to be delivered based on the port number.
The port is neutral to the port itself. However, some known viruses may attack the network through some ports. Therefore, these ports are disabled. Some common ports, such as FTP ports 20 and 21, are always enabled.
I hope it helps!
View more
  • x
  • convention:

All Answers
Gustavo.HdezF
Gustavo.HdezF Admin Created Apr 16, 2021 19:05:22

Hello User. we are reviewing your question and we will answer you shortly. Thanks.
View more
  • x
  • convention:

Ingeniero%20en%20Comunicaciones%20y%20Electr%C3%B3nica%20con%2024%20a%C3%B1os%20de%20experiencia%20en%20el%20%C3%A1rea%20de%20las%20telecomunicaciones%20para%20voz%20y%20datos%2C%20comparto%20mi%20experiencia%20dando%20clases%20en%20la%20Universidad%20Polit%C3%A9cnica%20de%20Quer%C3%A9taro.
DDSN
DDSN Admin Created Apr 17, 2021 02:18:50

Hi IvoK,
TCP and UDP are used to connect two devices over the Internet or other networks. However, to give data packages an entrance to the PC or server at the other end of the connection, the “doors” have to be open. These openings into the system are called ports.
When communicating via the Internet, the two protocols TCP and UDP establish the connection, compile data packages again after the transfer, and then hand them over to the programs addressed on the recipient’s device. For this handover to work, the operating system must create entrances and open them for the transfer. Every entrance has a specific code number. After the transfer, the receiving system knows where the data has to be delivered based on the port number.
The port is neutral to the port itself. However, some known viruses may attack the network through some ports. Therefore, these ports are disabled. Some common ports, such as FTP ports 20 and 21, are always enabled.
I hope it helps!
View more
  • x
  • convention:

IvoK
IvoK Created Apr 17, 2021 07:37:27

Hello, thank you for the replies!

I am familiar with connection establishment and transport mechanisms. And I know that when I make port-forwarding on my home router, there will be someone to sniff the opened port and connect to it. (MitM)

I am curious about the firewall's mechanisms of port forwarding, because such huge ranges of ports if they are all opened is not appropriate according to the good practices. This way the internal system would be exposed to different types of malicious attacks.

I used a port scanner to test the ports and it showed me that only about 10 ports are open. When I tried to telnet these ports I could make a connection. But when I tried to telnet some random ports, which are in the port list of the server mapping  - I couldn't establish a connection.

I am not completely sure if these tests are accurate.

Thanks! :}

View more
  • x
  • convention:

DDSN
DDSN Created Apr 17, 2021 08:14:47 (0) (0)
By default, many ports on the firewall are disabled and need to be enabled using commands. If the FTP server is disabled by default, run the ftp server enable command to enable the FTP function. For more information about ports, see the firewall communication matrix at http://support.huawei.com.  
LilStylz237
LilStylz237 Moderator Created Apr 18, 2021 12:30:29

Thank you for those informations
View more
  • x
  • convention:

Passionate%20about%20technology%2C%20wish%20to%20be%20a%20security%20expert
IvoK
IvoK Created Apr 29, 2021 14:56:47

Hello,

Here is an update about the topic.

Actually when ports are added to the server mapping list (aforementioned settings), they are not open all the time.

Here is an example of the port scanning results:

ports

The port scanning was made for all 65535 ports (TCP and UDP). As you can see there are only 11 open ports. (We have huge ranges of ports added to the server mapping list.)

I was looking for such answer.


Thank you anyway!

View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.