kloh
asked on
HTTP Port
want to clarify something on HTTP. I have a packet filtering type firewall. any Internet traffic will have to go thru the FW
Only Web server need to open up port 80 for client to access the Web server? client itself don't need to open up port 80? client will use high port (>1023) to connect to the Web server.
Only Web server need to open up port 80 for client to access the Web server? client itself don't need to open up port 80? client will use high port (>1023) to connect to the Web server.
Typically, that is correct. Usually filtering is done on primarily an inbound basis. Outbound packets are left for the most part unrestricted, and the replies that they generate are also left unfiltered. It is typically only inbound access that needs to be specifically configured - in other words when you are hosting services such as web or mail servers.
scraig84 is correct. For the purpose of hosting an HTTP based web service you would only allow inbound traffic destined for the HTTP port and block all other traffic. The client firewall (not hosting any web service but wanting web access) would only allow inbound traffic with an HTTP source port, that is, traffic coming from a web service.
This is slightly oversimplified in terms of firewalls and security.
Good luck.
Steve
This is slightly oversimplified in terms of firewalls and security.
Good luck.
Steve
ASKER
To confirm, to access Internet from client, I don't need to open port 80 on my FW?
Now you're confusing the issue. Do you want to allow HTTP access from the Internet to an internal server, from an internal client to the Internet, or both?
ASKER
to clarify
assuming that I don't have any internal web server,
If client need to access Internet, do I need to open port 80 on my FW?
assuming that I don't have any internal web server,
If client need to access Internet, do I need to open port 80 on my FW?
You need to open port 80 outbound on the firewall. The returned data will be handled by the firewall without having to open any inbound ports.
Port 80 is the inbound source for a web sever. You do not need to have an inbound port open on 80 for the internet to work on a client computer. It should be blocked
What it really comes down to is how the firewall is configured out of the box. Many firewalls, like Cisco's PIX, do not need any opening of outbound ports, as it assumes all traffic should be allowed in an outbound direction. When I made my comments above, I said that this is "typical". Yours could possibly be different, in which case you would need to open outbound port 80 for typical web traffic, plus port 443 for SSL traffic. Some sites will also redirect you to other ports such as port 8080 etc. FTP uses 21 and 20. The list goes on. Like I said though, it all depends on the firewall.
kloh,
If you tell us the kind of firewall you have and as much about the architecture of the client then we can probably give you specific configuration data.
We are all giving you very general info:
If you are hosting a web service: open source port 80 inbound on your router.
If you are a client: open destination port 80 inbound on your router.
Good luck.
Steve
If you tell us the kind of firewall you have and as much about the architecture of the client then we can probably give you specific configuration data.
We are all giving you very general info:
If you are hosting a web service: open source port 80 inbound on your router.
If you are a client: open destination port 80 inbound on your router.
Good luck.
Steve
you need to configure your firewall as follows:
your-IP:[1024..65534] -> 0.0.0.0:80 ALLOW
your-IP:[1024..65534] <- 0.0.0.0:80 ALLOW
(where second rule may be set automatically depending on your firewall)
your-IP:[1024..65534] -> 0.0.0.0:80 ALLOW
your-IP:[1024..65534] <- 0.0.0.0:80 ALLOW
(where second rule may be set automatically depending on your firewall)
ASKER
the FW I am using is Cyberguard, don't know anyone of you heard of.
I am a bit confused now. I thought client end access Internet thru high ports (>1023). Now, there is talk of opening outbound port 80 on FW.
Can anyone give me a clever explanation.
thanks a lot.
I am a bit confused now. I thought client end access Internet thru high ports (>1023). Now, there is talk of opening outbound port 80 on FW.
Can anyone give me a clever explanation.
thanks a lot.
ASKER
sorry, I mean clearer explanation.
A browser accesses the Internet through port 80. The reply from the Internet almost certainly comes in on a port above 1024, but that's not relevant because a stateful firewall is clever enough to know it's just sent an outbound request and therefore a reply is due in a moment.
Almost all TCP clients use a fixed port to access the relevant service--FTP is port 21, SMTP mail is port 25, HTTP is port 80, etc.
Almost all TCP clients use a fixed port to access the relevant service--FTP is port 21, SMTP mail is port 25, HTTP is port 80, etc.
> A browser accesses the Internet through port 80.
Usually no.
The browser uses a high port itself and connects to port 80 on the (remote) server. While this server responds on port 80 to the high port.
Thats what I described in my rule.
Usually no.
The browser uses a high port itself and connects to port 80 on the (remote) server. While this server responds on port 80 to the high port.
Thats what I described in my rule.
All this talk of "on" and "through" a port - so confusing!
When a server runs an application such as a web service, it has to provide that service on a particular port. This is so the server can distinguish which application should receive any given packet, since it is likely that many applications or services are running on the box. The default port for a web server to open its services on is port 80. Therefore, when a client needs to send a packet to a web server, as it is constructing the packet, it places port 80 in the destination TCP port field and randomly picks a port above 1023 (we'll say 2002 for example) and places this number in the source TCP port field of the packet. When the web server receives this packet it will see port 80, and send it to the web server. When the response will come back to the client, the numbers will be reversed - port 80 will now be the source TCP port and 2002 will be the destination. The client seeing that 2002 is the destination will know that this is a response from the web server and will send it on to its browser for processing. SO - for a firewall to allow this two-way communication, it needs to allow outbound to port 80 as well as replies back from the web server. I will state again that most firewalls by default allow ALL outbound ports, because typically it is not considered a security risk to allow clients to access resources on the web. By default a firewall will typically have ALL ports closed inbound (back towards the client), because the reverse is true from a security standpoint. The exception is that the firewall keeps track of outbound session establishment and will allow the replies. I am oversimplifying a bit, but I think that is necessary with the amount of gobbledygook that has been written above.
What I am saying is TYPICAL, but not necessarily accurate based on your firewall. In some way shape or form, the firewall needs to allow traffic to flow as I described. I will say that I have never seen a firewall without a base set of instructions to set it up to allow basic client access and blocking of all inbound traffic - as this is the basic-set service a firewall should provide.
I hope that was a bit more clear!
When a server runs an application such as a web service, it has to provide that service on a particular port. This is so the server can distinguish which application should receive any given packet, since it is likely that many applications or services are running on the box. The default port for a web server to open its services on is port 80. Therefore, when a client needs to send a packet to a web server, as it is constructing the packet, it places port 80 in the destination TCP port field and randomly picks a port above 1023 (we'll say 2002 for example) and places this number in the source TCP port field of the packet. When the web server receives this packet it will see port 80, and send it to the web server. When the response will come back to the client, the numbers will be reversed - port 80 will now be the source TCP port and 2002 will be the destination. The client seeing that 2002 is the destination will know that this is a response from the web server and will send it on to its browser for processing. SO - for a firewall to allow this two-way communication, it needs to allow outbound to port 80 as well as replies back from the web server. I will state again that most firewalls by default allow ALL outbound ports, because typically it is not considered a security risk to allow clients to access resources on the web. By default a firewall will typically have ALL ports closed inbound (back towards the client), because the reverse is true from a security standpoint. The exception is that the firewall keeps track of outbound session establishment and will allow the replies. I am oversimplifying a bit, but I think that is necessary with the amount of gobbledygook that has been written above.
What I am saying is TYPICAL, but not necessarily accurate based on your firewall. In some way shape or form, the firewall needs to allow traffic to flow as I described. I will say that I have never seen a firewall without a base set of instructions to set it up to allow basic client access and blocking of all inbound traffic - as this is the basic-set service a firewall should provide.
I hope that was a bit more clear!
Aha! scraig84 . . . I finally caught you. The ports above 1023 are not actually randomly picked on intel/windows systems. If you boot your computer and right away create an IP socket you'll see that the source port will be 1024 or very near there. This number increments every few milliseconds until it reaches 65535 and then rolls back to 1024.
Good luck kloh.
Steve
Good luck kloh.
Steve
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
what a fun session :)
Thanks a lot to all including those who confused me.
I increased the point and give to scraig84. thanks.
Thanks a lot to all including those who confused me.
I increased the point and give to scraig84. thanks.