?
Solved

HTTP Port

Posted on 2002-03-18
18
Medium Priority
?
268 Views
Last Modified: 2010-04-11
want to clarify something on HTTP. I have a packet filtering type firewall. any Internet traffic will have to go thru the FW
Only Web server need to open up port 80 for client to access the Web server? client itself don't need to open up port 80? client will use high port (>1023) to connect to the Web server.
0
Comment
Question by:kloh
  • 5
  • 4
  • 3
  • +3
18 Comments
 
LVL 8

Expert Comment

by:scraig84
ID: 6876634
Typically, that is correct.  Usually filtering is done on primarily an inbound basis.  Outbound packets are left for the most part unrestricted, and the replies that they generate are also left unfiltered.  It is typically only inbound access that needs to be specifically configured - in other words when you are hosting services such as web or mail servers.
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6878309
scraig84 is correct. For the purpose of hosting an HTTP based web service you would only allow inbound traffic destined for the HTTP port and block all other traffic. The client firewall (not hosting any web service but wanting web access) would only allow inbound traffic with an HTTP source port, that is, traffic coming from a web service.

This is slightly oversimplified in terms of firewalls and security.

Good luck.
Steve

0
 

Author Comment

by:kloh
ID: 6878731
To confirm, to access Internet from client, I don't need to open port 80 on my FW?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 12

Expert Comment

by:pjknibbs
ID: 6879235
Now you're confusing the issue. Do you want to allow HTTP access from the Internet to an internal server, from an internal client to the Internet, or both?
0
 

Author Comment

by:kloh
ID: 6879284
to clarify
assuming that I don't have any internal web server,
If client need to access Internet, do I need to open port 80 on my FW?
0
 
LVL 12

Expert Comment

by:pjknibbs
ID: 6879578
You need to open port 80 outbound on the firewall. The returned data will be handled by the firewall without having to open any inbound ports.
0
 
LVL 2

Expert Comment

by:hangman
ID: 6879748
Port 80 is the inbound source for a web sever. You do not need to have an inbound port open on 80 for the internet to work on a client computer. It should be blocked
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6879754
What it really comes down to is how the firewall is configured out of the box.  Many firewalls, like Cisco's PIX, do not need any opening of outbound ports, as it assumes all traffic should be allowed in an outbound direction.  When I made my comments above, I said that this is "typical".  Yours could possibly be different, in which case you would need to open outbound port 80 for typical web traffic, plus port 443 for SSL traffic.  Some sites will also redirect you to other ports such as port 8080 etc.  FTP uses 21 and 20.  The list goes on.  Like I said though, it all depends on the firewall.

0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6880099
kloh,

If you tell us the kind of firewall you have and as much about the architecture of the client then we can probably give you specific configuration data.

We are all giving you very general info:

If you are hosting a web service: open source port 80 inbound on your router.

If you are a client: open destination port 80 inbound on your router.

Good luck.
Steve
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6880515
you need to configure your firewall as follows:

   your-IP:[1024..65534] -> 0.0.0.0:80 ALLOW
   your-IP:[1024..65534] <- 0.0.0.0:80 ALLOW

(where second rule may be set automatically depending on your firewall)
0
 

Author Comment

by:kloh
ID: 6881471
the FW I am using is Cyberguard, don't know anyone of you heard of.
I am a bit confused now. I thought client end access Internet thru high ports (>1023). Now, there is talk of opening outbound port 80 on FW.
Can anyone give me a clever explanation.
thanks a lot.
0
 

Author Comment

by:kloh
ID: 6881478
sorry, I mean clearer explanation.
0
 
LVL 12

Expert Comment

by:pjknibbs
ID: 6881991
A browser accesses the Internet through port 80. The reply from the Internet almost certainly comes in on a port above 1024, but that's not relevant because a stateful firewall is clever enough to know it's just sent an outbound request and therefore a reply is due in a moment.

Almost all TCP clients use a fixed port to access the relevant service--FTP is port 21, SMTP mail is port 25, HTTP is port 80, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6882185
> A browser accesses the Internet through port 80.
Usually no.
The browser uses a high port itself and connects to port 80 on the (remote) server. While this server responds on port 80 to the high port.
Thats what I described in my rule.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6882452
All this talk of "on" and "through" a port - so confusing!

When a server runs an application such as a web service, it has to provide that service on a particular port.  This is so the server can distinguish which application should receive any given packet, since it is likely that many applications or services are running on the box.  The default port for a web server to open its services on is port 80.  Therefore, when a client needs to send a packet to a web server, as it is constructing the packet, it places port 80 in the destination TCP port field and randomly picks a port above 1023 (we'll say 2002 for example) and places this number in the source TCP port field of the packet.  When the web server receives this packet it will see port 80, and send it to the web server.  When the response will come back to the client, the numbers will be reversed - port 80 will now be the source TCP port and 2002 will be the destination.  The client seeing that 2002 is the destination will know that this is a response from the web server and will send it on to its browser for processing.  SO - for a firewall to allow this two-way communication, it needs to allow outbound to port 80 as well as replies back from the web server.  I will state again that most firewalls by default allow ALL outbound ports, because typically it is not considered a security risk to allow clients to access resources on the web.  By default a firewall will typically have ALL ports closed inbound (back towards the client), because the reverse is true from a security standpoint.  The exception is that the firewall keeps track of outbound session establishment and will allow the replies.  I am oversimplifying a bit, but I think that is necessary with the amount of gobbledygook that has been written above.  

What I am saying is TYPICAL, but not necessarily accurate based on your firewall.  In some way shape or form, the firewall needs to allow traffic to flow as I described.  I will say that I have never seen a firewall without a base set of instructions to set it up to allow basic client access and blocking of all inbound traffic - as this is the basic-set service a firewall should provide.

I hope that was a bit more clear!

0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6882791
Aha! scraig84 . . . I finally caught you. The ports above 1023 are not actually randomly picked on intel/windows systems. If you boot your computer and right away create an IP socket you'll see that the source port will be 1024 or very near there. This number increments every few milliseconds until it reaches 65535 and then rolls back to 1024.

Good luck kloh.

Steve
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 400 total points
ID: 6882827
Picky picky picky.  I knew that actually, but felt that was just too detailed for the subject (and more importantly - audience) at hand.  To most people, this would be random - I guess I could have said "deterministically" without going into any more detail.

Glad to know you're checking my work!  I'll have to be more careful next time - but now of course I'll be watching you as well :)
0
 

Author Comment

by:kloh
ID: 6884767
what a fun session :)
Thanks a lot to all including those who confused me.
I increased the point and give to scraig84. thanks.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question