Should I stop the service or block the port with a firewall?

Stopping the service is the real fix: if nothing is listening, the port is closed everywhere and there is no software to attack. A firewall rule only hides a still-running service, which keeps reachability accidents possible. Use the firewall as defense in depth, but stop or disable the service first whenever you don't need it.

Why is a port still open after I added a firewall rule?

Common causes: the service is bound to a different interface or also on a second port, another firewall or cloud security group overrides your rule, or the change wasn't reloaded. Re-check with ss -tulpn or netstat -ano, confirm the rule order, and reload the firewall so the rule takes effect.

How to close or block a port (Windows & Linux)

"How do I close a port?" usually means one of two different things: stop the program that is listening, or block traffic to it with a firewall. Both have their place, but they are not equivalent. This guide covers the real fix (stop or disable the service) and the defensive layer (firewall the port) on Windows and Linux, with concrete examples for risky services.

Stop the service vs firewall the port

If a port is open, some service is bound to it. The most thorough fix is to stop that service so nothing listens at all: a port with no listener is closed on every interface and presents nothing to attack. A firewall rule is different: the service keeps running and listening, and you merely block traffic from reaching it. Firewalls are excellent defense in depth, but a stopped service can't be exposed by a future misconfiguration. Rule of thumb: if you don't need the service, disable it; if you need it but only locally, firewall it.

Step 1: identify what is listening

Before closing anything, confirm what owns the port (see our guide on checking open ports).

# Linux
sudo ss -tulpn | grep :3389

# Windows
netstat -ano | findstr :3389

Stop or disable the service (the real fix)

On Linux with systemd, stop the unit now and prevent it starting at boot:

# Example: stop and disable an exposed Redis on port 6379
sudo systemctl stop redis-server
sudo systemctl disable redis-server

The same approach closes port 23 (Telnet) for good by removing or disabling its daemon, or shuts down a database listening on port 3306 (MySQL) or port 5432 (PostgreSQL) that shouldn't be running.

On Windows, stop and disable the service:

# Example: disable the Remote Desktop service if RDP isn't needed
Stop-Service -Name TermService -Force
Set-Service -Name TermService -StartupType Disabled

If the service must stay running but shouldn't accept remote connections, bind it to localhost instead of 0.0.0.0 in its config. That alone closes port 27017 (MongoDB) or port 6379 (Redis) to the network while keeping local apps working.

Block a port with Windows Firewall

When you can't stop the service, block it. Use PowerShell's modern cmdlet:

# Block inbound RDP on port 3389
New-NetFirewallRule -DisplayName "Block RDP" -Direction Inbound `
  -Protocol TCP -LocalPort 3389 -Action Block

# Block inbound SMB on port 445
New-NetFirewallRule -DisplayName "Block SMB" -Direction Inbound `
  -Protocol TCP -LocalPort 445 -Action Block

The classic netsh syntax still works and is handy in scripts:

netsh advfirewall firewall add rule name="Block Telnet" `
  dir=in action=block protocol=TCP localport=23

Block a port with ufw (Ubuntu/Debian)

ufw is the simplest Linux firewall front-end:

# Deny inbound MySQL and PostgreSQL
sudo ufw deny 3306/tcp
sudo ufw deny 5432/tcp

# Allow SSH from one trusted network only, deny it elsewhere
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp
sudo ufw enable

This is a clean way to close port 5900 (VNC) or port 8080 (HTTP alt) to the public while keeping them open internally.

Block a port with firewalld (RHEL/Fedora/CentOS)

# Remove a service/port from the active zone, then reload
sudo firewall-cmd --permanent --remove-port=3389/tcp
sudo firewall-cmd --permanent --remove-service=samba   # SMB 445/139
sudo firewall-cmd --reload

Remember port 139 ships alongside port 445 for SMB, so close both if you're disabling file sharing.

Block a port with iptables

For systems without a higher-level front-end, raw iptables rules work everywhere:

# Drop inbound traffic to Redis on port 6379
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP

# Drop inbound MongoDB on port 27017
sudo iptables -A INPUT -p tcp --dport 27017 -j DROP

Persist the rules (iptables-save or your distro's service) so they survive a reboot. Other ports worth locking down from the public internet include port 1433 (SQL Server) and port 161 (SNMP).

Verify the port is closed

After any change, re-check from the machine and ideally from outside:

# Locally: is anything still listening?
sudo ss -tulpn | grep :3389

# From another host you own: is it reachable?
nmap -p 3389 <target>

If ss shows no listener and Nmap reports the port closed or filtered, you're done.

Conclusion

Closing a port well is mostly about intent. If you don't need the service, stop and disable it so the port closes everywhere, the cleanest fix for risky exposures like RDP on port 3389, SMB on port 445, or Telnet on port 23. If you must keep the service, bind it to localhost or block it with Windows Firewall, ufw, firewalld, or iptables as defense in depth. To identify any port before you close it, browse all ports on ProtocolPorts.