Leaving unnecessary ports open increases your attack surface and can result in exploitation, lateral movement, or data exfiltration. This guide walks through a structured approach for determining which ports should remain open — and includes how to use Wireshark, Nessus credentialed scans, Splunk, and SIEM alert tuning to validate, audit, and monitor open ports in both Linux and Windows environments.

Step 1: Identify Business and Operational Requirements

Before documenting required ports, it’s critical to validate what services are actually running across your environment. Don’t rely solely on documentation or stakeholder interviews — many environments contain legacy systems, test instances, or services that no one officially owns. Begin by performing internal network discovery and fingerprinting to identify hosts, services, and open ports in your environment.

Network Discovery and Service Fingerprinting

Use the following tools to discover live systems and enumerate their exposed ports:

Nmap – Industry-standard port scanner that can also detect operating systems and running services.
Use case: Comprehensive scan of your local subnet or a critical server range.
Example:
nmap -sS -sV -O -p- 192.168.1.0/24

• -sS = Stealth SYN scan
• -sV = Version detection
• -O = OS detection
• -p- = Scan all ports (0–65535)

Add -Pn to skip ping checks (useful if hosts block ICMP). Use –top-ports 1000 for faster scans of common ports.

Masscan – Very fast port scanner capable of scanning massive networks quickly.
Example:
masscan 10.0.0.0/8 -p0-65535 –rate=10000

Use for initial sweep; follow up with Nmap -sV on any detected open ports.

Netdiscover or arp-scan – Detect devices using ARP requests (layer 2).
netdiscover -r 192.168.1.0/24
arp-scan –interface=eth0 –localnet

Great for discovering unmanaged or undocumented hosts in flat networks.

Nessus (Unauthenticated) – Perform a basic network-wide scan to detect exposed services.
Follow up with credentialed scans to audit services bound to localhost or internal interfaces.

Host-Level Port Checks

Linux:
ss -tuln
netstat -tulnp

Windows:
Get-NetTCPConnection | Select-Object LocalAddress,LocalPort,State
netstat -ano | findstr LISTENING
Get-Process -Id

Table of Verified Services

Service	Port	Protocol	Direction	Source	Justification
SSH	22	TCP	Ingress	VPN IPs only	Remote administration
HTTPS	443	TCP	Ingress	Any	Public-facing web app
DNS	53	UDP/TCP	Egress	Internal hosts	Name resolution

Document all findings and tie each service to a business function. This becomes the baseline for what should be allowed through the firewall.

Step 2: Default-Deny Firewall Policy

Use a deny-by-default strategy and explicitly allow only what is required.

Linux (iptables):
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

Linux (UFW):
ufw default deny incoming
ufw default deny outgoing
ufw allow out 53/udp comment ‘Allow DNS’
ufw allow out 123/udp comment ‘Allow NTP’

Windows (PowerShell):
New-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block -DefaultOutboundAction Block
New-NetFirewallRule -DisplayName “Allow DNS” -Direction Outbound -Protocol UDP -RemotePort 53 -Action Allow
New-NetFirewallRule -DisplayName “Allow NTP” -Direction Outbound -Protocol UDP -RemotePort 123 -Action Allow

Audit regularly with iptables-save (Linux) or Get-NetFirewallRule (Windows). Use Group Policy Objects (GPO) to enforce consistent firewall policy in Windows domains.

Step 3: Analyze Traffic with Wireshark

Wireshark helps confirm which services are actively in use.

Apply filters:
tcp.port == 22
udp.port == 53
ip.addr == x.x.x.x

Capture for 24+ hours if possible to reveal scheduled jobs or backup-related activity.

Linux CLI alternative:
tshark -i eth0 -Y “tcp” -T fields -e ip.dst -e tcp.dstport

Windows built-in:
netsh trace start capture=yes tracefile=c:\captures\nettrace.etl
Convert using Microsoft Message Analyzer or etl2pcapng.

Look for:

• Ports in use that weren’t previously documented
• Legacy protocols (Telnet, NetBIOS)
• Beacons or excessive traffic from unknown ports

Step 4: Run Nessus Credentialed Scans

Credentialed Nessus scans allow deep inspection of active services — including those listening only on localhost.

1. Choose “Advanced Scan” or “Credentialed Patch Audit”
2. Use SSH credentials for Linux, SMB credentials for Windows
3. Enable “Scan all ports” and “Perform thorough service discovery”

For Windows SMB scans:

• File and Printer Sharing must be enabled
• Open ports 445 and/or 139
• Account must be a local or domain admin
• Remote Registry must be enabled
• Test access: net use \hostname\C$ /user:DOMAIN\user

Review results for:

• Open but undocumented ports
• Services on nonstandard ports (e.g., RDP on 8443)
• CVEs associated with known services
• Default or weak credentials on exposed systems

Use findings to refine the allowlist and remove unnecessary exposure.

Step 5: Controlled Testing

After changes, test service availability and verify blocked ports.

Linux:
dig example.com
curl https://host
nc -zv host 443

Windows:
Test-NetConnection -ComputerName host -Port 443
Invoke-WebRequest -Uri https://host

Externally test with:
nmap -Pn -p-

Create a script or CI check to confirm all required services are reachable, and blocked services fail gracefully.

Step 6: Ongoing Monitoring and Review

Regular review is critical:

• Monthly: Credentialed Nessus scans
• Quarterly: Wireshark captures and port reviews
• Annually: Pen testing or internal red team review

Track changes via git (Linux firewall configs) or GPO history (Windows). Maintain a central list of allowed ports, tied to asset owners and expiration/review dates.

High-Risk Ports That Should Usually Remain Closed

Port	Service	Reason
23	Telnet	Unencrypted login protocol
137–139	NetBIOS	Legacy file sharing, lateral movement
445	SMB	Exploited by many ransomware groups
1433	MSSQL	Common brute-force target
3389	RDP	Should only be used with VPN + MFA

If these must remain open: restrict by IP, enable MFA, monitor with SIEM, and apply full logging.

SIEM Alert Tuning for Firewall Events

Use your SIEM to alert on:

• New open ports without change tickets
• Traffic to or from disallowed high-risk ports
• Excessive blocked outbound traffic
• Unauthorized port scans or recon behavior

Example logic:
(event.type=firewall_rule_change AND user!=approved_admin)
OR
(dest_port=445 AND src_ip NOT IN approved_vpn_ranges)

Tune alert thresholds to avoid noise, but maintain visibility on escalation paths, lateral movement, and data egress.

Splunk-Specific Monitoring and Dashboards

Splunk is an ideal platform for port monitoring at scale.

To identify blocked outbound traffic:
index=firewall action=blocked direction=outbound
| stats count by src_ip dest_ip dest_port

To find uncommon ports:
index=network
| stats count by dest_port
| where dest_port > 1024 AND count > 100

To monitor external RDP usage:
index=firewall dest_port=3389 src_ip!=10.0.0.0/8
| stats count by src_ip dest_ip

Build dashboards for:

• Top 20 destination ports (internal and external)
• Trends in denied outbound traffic
• Changes in allowed inbound port sets
• Open port vs. asset role validation

Use lookup tables for approved port lists and alert on deviations. Combine firewall logs with EDR and asset inventory data for context-aware decisions.

Conclusion

Effective firewall control starts with evidence, not assumptions. Combine network discovery, service validation, traffic monitoring, and SIEM analysis to build a defensible allowlist. Tools like Nmap, Wireshark, Nessus, and Splunk provide the technical insight. Deny by default, document every rule, and treat your firewall like a living system — not a one-time configuration.