Disclaimer: Your firewall settings may need to be different from what I will be suggesting here. You may have a router with a firewall or only your desktop software firewall. In either case it's important to know how to read your logs and understand what is connecting, when, where and why.
There are many resources online explaining about ports and what applications use selected ports by default.
I'll be talking about filtering your traffic via your firewall by port and IP or both.
The basic configuration of a firewall is to allow applications to communicate via the firewall without blocking them. But what happens when you don't know what application is assigned to a port. Well, you can do this two ways. Look up the port online and reference the applicaiton assigned to it or your could read your firewall logs.
I typically do both. I read firewall logs often to keep up on trends. Not what's the new fashion statement in California but rather what ports are being hit and who is doing it.
Let's review a few lines from a firewall to see what is happening.
Port 80 is a website, I can see from the logs my local computer 192.168.0.2 connected to 68.x.x.x on port 80. That's a website for me and from the firewalls point of view harmless.
Port 3389 connection from 68.x.x.x means someone is connected or attempting to connect to my remote desktop service. Because this is inbound I know this isn't a safe IP address attempting to connect to my remote desktop.
Now it would be a good idea to review how you use your computer. Do you connect to your computer from a remote location? if so maybe you should change the 3389 port to something else like 3342 if you don't have anything running on that port. The key is not to have services sharing the same port on your computer. If you change the 3389 port you can then block the port. This would help keep connection attempts down if the 3389 port was not active.
IP address and Port Blocking
For some network administrators IP and Port blocking is very simple. In fact, it's not called IP and Port blocking it's Allow By.
One of my servers runs a specific application that uses one IP and 2 ports. Because this application doesn't require allot of support I have all IPs and all Ports closed or blocked and the two that are open are logged.
For other servers Port and IP blocking becomes more complicated. So we need to learn what we can do.
The thinking "Less is Better" or my personal favorite that I tell all my customers and friends, "When in Doubt, Block it Out" you can figure out later if you program stopped working at that moment. As a rule it's been safer to block it instead of guessing.
Today would be a good day to learn how to block your port 3389.
Let's get a few tools that come standard with your windows computer.
From the Command Line Prompt: (cmd)
The syntax of this command is:
[ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
STATISTICS | STOP | TIME | USE | USER | VIEW ]
Proto Local Address Foreign Address State
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]
-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in  at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
-e Displays Ethernet statistics. This may be combined with the -s
-f Displays Fully Qualified Domain Names (FQDN) for foreign
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
-p proto Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default.
-t Displays the current connection offload state.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.