Windows Firewall Inbound Rules not matching netstat listening ports

Question

I'm not a firewall expert, so need some help with understanding the difference between my windows firewall rules and what netstat is displaying. Some computers at my company only allow inbound traffic on several ports due to regulations, all other ports are blocked by default.

For example, one computer might allow TCP 20,21,23,80,443,445, and 3389.

When I do a netstat command however, I see many "listening" ports that should not be allowed:

Proto Local Foreign State

TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:16992 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49166 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49178 0.0.0.0:0 LISTENING

I need some help with understanding why the two do not agree...are these ports trying to listen on a particular port, but the firewall won't allow any traffic to pass through to them?

Thank you.

Answer 1

The inbound firewall rules prevent hosts from successfully connecting to ports on the local system. These can be written to prevent external hosts from connecting (typical) and can even be written to prevent localhost from connecting (unusual). The firewall does not prevent a local program from running or binding to a listening port.

Netstat has nothing to do with this. Netstat reports which ports are Listening, Established, SYN_Received, etc. The firewall does nothing to prevent local programs from listening on ports on any interface.