Helping people with computers... one answer at a time.

A firewall will prevent malicious and other messages from reaching your computer, but it won't stop your computer's software from listing for them.

When I look at my firewall log I see a number of processes that are listening on the internet, including some on ports that the firewall has been programmed to keep closed. What are these processes (like svchost, lsass, windows explorer, etc.) listening for? And how are they listening on ports that are supposed to be closed?

Oh they may be listening, but that doesn't mean they're going to hear anything.

It really just the nature of how a firewall works, so I'll use this as an opportunity to try to clarify that just a little.

In an unprotected system, every application that wants to be able to respond to an incoming message from another computer somewhere out on the internet is said to be "listening". It does this by registering itself with the network component of the operating system, saying in effect, "whenever you receive a message of this type, give it to me and I'll deal with it".

In a very important sense, each process is connected directly to the internet, listening for messages of the type that it wants to hear about:

Applications Listening to the Internet

Now, what I've called a message of "this type" is identified by what's called a port number, so processes are "listen" to "ports". That how each process is listening to only one type of message and not interfering with the messages destined for another process. Windows itself might be listening for file-sharing requests on one port, while an instance of svchost.exe is listening for incoming remote desktop requests on another port.

Using TCPView, here's a snapshot of the processes listening on my machine as I write this:

TCPView displaying ports being listened to

Among other things you can see that instance of svchost listening to port 3389, which is the incoming port for Remote Desktop requests.

When we add a firewall to the picture, none of that changes:

Applications Listening to the Internet, through a Firewall

"The firewall simply prevents messages coming in from ever reaching any of the processes listening for them."

In a sense, the firewall lives on the "internet side" of the computer's network connection. All the processes are unaffected; they don't know about the firewall, they just keep doing whatever it is they do. They keep listening.

The firewall simply prevents messages coming in from ever reaching any of the processes listening for them. The messages are "blocked" at the firewall. This is how a firewall protects you - it keeps all unexpected messages from ever reaching the software that might try to act on them. Particularly if you're connected directly to the internet you'll see that there are many such "unexpected" messages, and a vast majority of them are viruses, malware, and other hacking attempts. Your firewall stops them cold.

But what if we want to be able to respond to some of those messages? What if we know that certain messages are okay and that we actually want to use the functionality those messages represent?

Remote Desktop is a good example. Since even with a firewall in place my computer is still listening to the remote desktop port (3389), all we need to do is to configure the firewall to allow that port through. Once configured everything else might be blocked, but if a message comes in that's destined for port 3389 then the firewall can let it through. (Naturally I'll want to make sure that remote access is secure in other ways, perhaps by using exceptionally strong login passwords since it can now reach my machine.)

That's why you sometimes have to configure your firewall before some applications will work. The application might be listening, but the firewall could be preventing it from ever hearing anything.

As a side note, so far we've only talked about blocking incoming messages. Many software firewalls often work both ways: blocking unwanted messages coming in and also unexpected messages going out. If a program needs to be able to communicate out to other machines through ports that aren't already open in the firewall, you might have to configure it to allow those ports through as well.

Finally, all this does beg the question: if a firewall is going to prevent any of the messages of a given type from reaching us then why are we "listening" at all?

It's a legitimate question. Sometimes you can in fact turn off or disable the software that's listening to a given port because it'll never be activated. If I didn't use Remote Desktop, for example, I'd turn off the service and it would stop listening on 3389. Not only would that prevent accidental or malicious connections to that port, it also frees up memory for other processes to run.

In other cases, things aren't quite that simple. Quite often the system "talks to itself", so to speak, through networking connections that need to remain open. Other programs simply can't be told not to listen even though you might still want them running for other reasons.

In an ideal world we wouldn't need firewalls. Every machine would listen for only those things it needs and would do so in a perfect bug-free way. There also wouldn't be malware out on the internet trying to propagate and infect your machine through your network connection. But we don't live in an ideal world, and a firewall is a critically important first line of defense.

Article C3022 - May 13, 2007 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

May 29, 2007 3:19 AM

when i am double click drives its opening another window i dont have that another window

January 19, 2008 7:52 PM

I have Firestarter in my laptop and for some reason it keeps closing itself I just change from Windows to Linux (Ubuntu) and left everything as default. Is there anything I can do to prevent this? Thank you in advance.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.