?
Solved

HTTP Port

Posted on 2002-03-18
18
Medium Priority
?
264 Views
Last Modified: 2010-04-11
want to clarify something on HTTP. I have a packet filtering type firewall. any Internet traffic will have to go thru the FW
Only Web server need to open up port 80 for client to access the Web server? client itself don't need to open up port 80? client will use high port (>1023) to connect to the Web server.
0
Comment
Question by:kloh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +3
18 Comments
 
LVL 8

Expert Comment

by:scraig84
ID: 6876634
Typically, that is correct.  Usually filtering is done on primarily an inbound basis.  Outbound packets are left for the most part unrestricted, and the replies that they generate are also left unfiltered.  It is typically only inbound access that needs to be specifically configured - in other words when you are hosting services such as web or mail servers.
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6878309
scraig84 is correct. For the purpose of hosting an HTTP based web service you would only allow inbound traffic destined for the HTTP port and block all other traffic. The client firewall (not hosting any web service but wanting web access) would only allow inbound traffic with an HTTP source port, that is, traffic coming from a web service.

This is slightly oversimplified in terms of firewalls and security.

Good luck.
Steve

0
 

Author Comment

by:kloh
ID: 6878731
To confirm, to access Internet from client, I don't need to open port 80 on my FW?
0
Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

 
LVL 12

Expert Comment

by:pjknibbs
ID: 6879235
Now you're confusing the issue. Do you want to allow HTTP access from the Internet to an internal server, from an internal client to the Internet, or both?
0
 

Author Comment

by:kloh
ID: 6879284
to clarify
assuming that I don't have any internal web server,
If client need to access Internet, do I need to open port 80 on my FW?
0
 
LVL 12

Expert Comment

by:pjknibbs
ID: 6879578
You need to open port 80 outbound on the firewall. The returned data will be handled by the firewall without having to open any inbound ports.
0
 
LVL 2

Expert Comment

by:hangman
ID: 6879748
Port 80 is the inbound source for a web sever. You do not need to have an inbound port open on 80 for the internet to work on a client computer. It should be blocked
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6879754
What it really comes down to is how the firewall is configured out of the box.  Many firewalls, like Cisco's PIX, do not need any opening of outbound ports, as it assumes all traffic should be allowed in an outbound direction.  When I made my comments above, I said that this is "typical".  Yours could possibly be different, in which case you would need to open outbound port 80 for typical web traffic, plus port 443 for SSL traffic.  Some sites will also redirect you to other ports such as port 8080 etc.  FTP uses 21 and 20.  The list goes on.  Like I said though, it all depends on the firewall.

0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6880099
kloh,

If you tell us the kind of firewall you have and as much about the architecture of the client then we can probably give you specific configuration data.

We are all giving you very general info:

If you are hosting a web service: open source port 80 inbound on your router.

If you are a client: open destination port 80 inbound on your router.

Good luck.
Steve
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6880515
you need to configure your firewall as follows:

   your-IP:[1024..65534] -> 0.0.0.0:80 ALLOW
   your-IP:[1024..65534] <- 0.0.0.0:80 ALLOW

(where second rule may be set automatically depending on your firewall)
0
 

Author Comment

by:kloh
ID: 6881471
the FW I am using is Cyberguard, don't know anyone of you heard of.
I am a bit confused now. I thought client end access Internet thru high ports (>1023). Now, there is talk of opening outbound port 80 on FW.
Can anyone give me a clever explanation.
thanks a lot.
0
 

Author Comment

by:kloh
ID: 6881478
sorry, I mean clearer explanation.
0
 
LVL 12

Expert Comment

by:pjknibbs
ID: 6881991
A browser accesses the Internet through port 80. The reply from the Internet almost certainly comes in on a port above 1024, but that's not relevant because a stateful firewall is clever enough to know it's just sent an outbound request and therefore a reply is due in a moment.

Almost all TCP clients use a fixed port to access the relevant service--FTP is port 21, SMTP mail is port 25, HTTP is port 80, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6882185
> A browser accesses the Internet through port 80.
Usually no.
The browser uses a high port itself and connects to port 80 on the (remote) server. While this server responds on port 80 to the high port.
Thats what I described in my rule.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6882452
All this talk of "on" and "through" a port - so confusing!

When a server runs an application such as a web service, it has to provide that service on a particular port.  This is so the server can distinguish which application should receive any given packet, since it is likely that many applications or services are running on the box.  The default port for a web server to open its services on is port 80.  Therefore, when a client needs to send a packet to a web server, as it is constructing the packet, it places port 80 in the destination TCP port field and randomly picks a port above 1023 (we'll say 2002 for example) and places this number in the source TCP port field of the packet.  When the web server receives this packet it will see port 80, and send it to the web server.  When the response will come back to the client, the numbers will be reversed - port 80 will now be the source TCP port and 2002 will be the destination.  The client seeing that 2002 is the destination will know that this is a response from the web server and will send it on to its browser for processing.  SO - for a firewall to allow this two-way communication, it needs to allow outbound to port 80 as well as replies back from the web server.  I will state again that most firewalls by default allow ALL outbound ports, because typically it is not considered a security risk to allow clients to access resources on the web.  By default a firewall will typically have ALL ports closed inbound (back towards the client), because the reverse is true from a security standpoint.  The exception is that the firewall keeps track of outbound session establishment and will allow the replies.  I am oversimplifying a bit, but I think that is necessary with the amount of gobbledygook that has been written above.  

What I am saying is TYPICAL, but not necessarily accurate based on your firewall.  In some way shape or form, the firewall needs to allow traffic to flow as I described.  I will say that I have never seen a firewall without a base set of instructions to set it up to allow basic client access and blocking of all inbound traffic - as this is the basic-set service a firewall should provide.

I hope that was a bit more clear!

0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6882791
Aha! scraig84 . . . I finally caught you. The ports above 1023 are not actually randomly picked on intel/windows systems. If you boot your computer and right away create an IP socket you'll see that the source port will be 1024 or very near there. This number increments every few milliseconds until it reaches 65535 and then rolls back to 1024.

Good luck kloh.

Steve
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 400 total points
ID: 6882827
Picky picky picky.  I knew that actually, but felt that was just too detailed for the subject (and more importantly - audience) at hand.  To most people, this would be random - I guess I could have said "deterministically" without going into any more detail.

Glad to know you're checking my work!  I'll have to be more careful next time - but now of course I'll be watching you as well :)
0
 

Author Comment

by:kloh
ID: 6884767
what a fun session :)
Thanks a lot to all including those who confused me.
I increased the point and give to scraig84. thanks.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question