Solved

HTTP Port

Posted on 2002-03-18
18
257 Views
Last Modified: 2010-04-11
want to clarify something on HTTP. I have a packet filtering type firewall. any Internet traffic will have to go thru the FW
Only Web server need to open up port 80 for client to access the Web server? client itself don't need to open up port 80? client will use high port (>1023) to connect to the Web server.
0
Comment
Question by:kloh
  • 5
  • 4
  • 3
  • +3
18 Comments
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
Typically, that is correct.  Usually filtering is done on primarily an inbound basis.  Outbound packets are left for the most part unrestricted, and the replies that they generate are also left unfiltered.  It is typically only inbound access that needs to be specifically configured - in other words when you are hosting services such as web or mail servers.
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
scraig84 is correct. For the purpose of hosting an HTTP based web service you would only allow inbound traffic destined for the HTTP port and block all other traffic. The client firewall (not hosting any web service but wanting web access) would only allow inbound traffic with an HTTP source port, that is, traffic coming from a web service.

This is slightly oversimplified in terms of firewalls and security.

Good luck.
Steve

0
 

Author Comment

by:kloh
Comment Utility
To confirm, to access Internet from client, I don't need to open port 80 on my FW?
0
 
LVL 12

Expert Comment

by:pjknibbs
Comment Utility
Now you're confusing the issue. Do you want to allow HTTP access from the Internet to an internal server, from an internal client to the Internet, or both?
0
 

Author Comment

by:kloh
Comment Utility
to clarify
assuming that I don't have any internal web server,
If client need to access Internet, do I need to open port 80 on my FW?
0
 
LVL 12

Expert Comment

by:pjknibbs
Comment Utility
You need to open port 80 outbound on the firewall. The returned data will be handled by the firewall without having to open any inbound ports.
0
 
LVL 2

Expert Comment

by:hangman
Comment Utility
Port 80 is the inbound source for a web sever. You do not need to have an inbound port open on 80 for the internet to work on a client computer. It should be blocked
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
What it really comes down to is how the firewall is configured out of the box.  Many firewalls, like Cisco's PIX, do not need any opening of outbound ports, as it assumes all traffic should be allowed in an outbound direction.  When I made my comments above, I said that this is "typical".  Yours could possibly be different, in which case you would need to open outbound port 80 for typical web traffic, plus port 443 for SSL traffic.  Some sites will also redirect you to other ports such as port 8080 etc.  FTP uses 21 and 20.  The list goes on.  Like I said though, it all depends on the firewall.

0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
kloh,

If you tell us the kind of firewall you have and as much about the architecture of the client then we can probably give you specific configuration data.

We are all giving you very general info:

If you are hosting a web service: open source port 80 inbound on your router.

If you are a client: open destination port 80 inbound on your router.

Good luck.
Steve
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
you need to configure your firewall as follows:

   your-IP:[1024..65534] -> 0.0.0.0:80 ALLOW
   your-IP:[1024..65534] <- 0.0.0.0:80 ALLOW

(where second rule may be set automatically depending on your firewall)
0
 

Author Comment

by:kloh
Comment Utility
the FW I am using is Cyberguard, don't know anyone of you heard of.
I am a bit confused now. I thought client end access Internet thru high ports (>1023). Now, there is talk of opening outbound port 80 on FW.
Can anyone give me a clever explanation.
thanks a lot.
0
 

Author Comment

by:kloh
Comment Utility
sorry, I mean clearer explanation.
0
 
LVL 12

Expert Comment

by:pjknibbs
Comment Utility
A browser accesses the Internet through port 80. The reply from the Internet almost certainly comes in on a port above 1024, but that's not relevant because a stateful firewall is clever enough to know it's just sent an outbound request and therefore a reply is due in a moment.

Almost all TCP clients use a fixed port to access the relevant service--FTP is port 21, SMTP mail is port 25, HTTP is port 80, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> A browser accesses the Internet through port 80.
Usually no.
The browser uses a high port itself and connects to port 80 on the (remote) server. While this server responds on port 80 to the high port.
Thats what I described in my rule.
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
All this talk of "on" and "through" a port - so confusing!

When a server runs an application such as a web service, it has to provide that service on a particular port.  This is so the server can distinguish which application should receive any given packet, since it is likely that many applications or services are running on the box.  The default port for a web server to open its services on is port 80.  Therefore, when a client needs to send a packet to a web server, as it is constructing the packet, it places port 80 in the destination TCP port field and randomly picks a port above 1023 (we'll say 2002 for example) and places this number in the source TCP port field of the packet.  When the web server receives this packet it will see port 80, and send it to the web server.  When the response will come back to the client, the numbers will be reversed - port 80 will now be the source TCP port and 2002 will be the destination.  The client seeing that 2002 is the destination will know that this is a response from the web server and will send it on to its browser for processing.  SO - for a firewall to allow this two-way communication, it needs to allow outbound to port 80 as well as replies back from the web server.  I will state again that most firewalls by default allow ALL outbound ports, because typically it is not considered a security risk to allow clients to access resources on the web.  By default a firewall will typically have ALL ports closed inbound (back towards the client), because the reverse is true from a security standpoint.  The exception is that the firewall keeps track of outbound session establishment and will allow the replies.  I am oversimplifying a bit, but I think that is necessary with the amount of gobbledygook that has been written above.  

What I am saying is TYPICAL, but not necessarily accurate based on your firewall.  In some way shape or form, the firewall needs to allow traffic to flow as I described.  I will say that I have never seen a firewall without a base set of instructions to set it up to allow basic client access and blocking of all inbound traffic - as this is the basic-set service a firewall should provide.

I hope that was a bit more clear!

0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Aha! scraig84 . . . I finally caught you. The ports above 1023 are not actually randomly picked on intel/windows systems. If you boot your computer and right away create an IP socket you'll see that the source port will be 1024 or very near there. This number increments every few milliseconds until it reaches 65535 and then rolls back to 1024.

Good luck kloh.

Steve
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 100 total points
Comment Utility
Picky picky picky.  I knew that actually, but felt that was just too detailed for the subject (and more importantly - audience) at hand.  To most people, this would be random - I guess I could have said "deterministically" without going into any more detail.

Glad to know you're checking my work!  I'll have to be more careful next time - but now of course I'll be watching you as well :)
0
 

Author Comment

by:kloh
Comment Utility
what a fun session :)
Thanks a lot to all including those who confused me.
I increased the point and give to scraig84. thanks.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now