Link to home
Start Free TrialLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

Opening Ports

Just when I think I know how things work, something comes along that raises questions that I can't answer for myself!

I have sites with firewalls that have NO ports open - at least not that I know of by intent.  Penetration tests go very smoothly, etc.

Now I have a "trusted" service provider that will put a machine in one of our sites.  They have asked for:
Port 80
Port 443
Port 5033
To be "opened" "both ways".
(In the end, the machine will be supporting a VPN.  So why might these particular ports be needed anyway?)

I'm not sure I know what this means exactly (or that they do either).
So, I'm reluctant to do anything to enable this machine until I have a better "model" in my head.

My understanding is that all of these ports, if tacked onto an outgoing address, will generally go OUT just fine from a typical site configuration.  So outgoing is "open" in that sense.
My understanding is that these ports by themselves if tacked onto an incoming packet won't work without more information.
In fact, it's meaningless to say that "port 80" is "open" without more information.  Right?

But, if I were to do port forwarding of port 80 (tacked onto our internet-facing public address) to 192.168.1.22 port 33 (or even to 192.168.1.22 port 80)  then that would allow certain incoming traffic to that one host and I guess someone might say that "port 80 is open"??

I'm not looking for a "how to" here!  
I'm looking for a framework of understanding.  
I suspect there's some "shorthand" that's crept into our language that's confusing me.
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

The standard Windows firewall is 'permissive' for outgoing connections meaning any outgoing requests are always allowed.  The Windows firewall only blocks incoming connections until you 'open' a port.  Third party firewalls can be set up to block or allowed both incoming and outgoing connections.  The standard Linux 'iptables' firewall normally controls both directions.

Port forwarding on the router has no effect on the firewalls on the individual computers.  The router and firewall appliances are ahead of the computers on the LAN  but they are separate.
I am assuming that this is TCP, rather than UDP.

A lot of people get confused with "In and Out" in this context. Whenever a client machine makes a connection to a web server somewhere, it creates an "Outbound" connection. Of course, data flows in both directions. A good analogy is making a phone call; if you call OUT, normally both participants can talk.

If you have incoming ports opened on your firewall, then you need to map those ports somewhere. Usually port 80 and 443 would be mapped to a web server inside of your network. If you don't have users out on the 'net connecting to a web server, then there is no need to open incoming ports.

Port 5033 is far less common, I don't know what you may be using that for.
A port is open IFF:
1) Your router maps the port to a host; AND
2) The firewall on that host doesn't block incoming traffic on that port; AND
3) You have a LISTENER on that port, i.e. a program on that host waiting to read input on that port

EXAMPLE:
A web server (PORT 80) is directed (by your router) to your host 192.168.1.10 and you have a web server waiting to respond and running on that host...

MAKE SENSE?
Avatar of hypercube

ASKER

Thanks.  It all makes sense and there are really no surprises - which is good for me because I guess I did understand most of it.

It's good to point out the differences in various firewalls.
I'm used the Windows firewall model - which doesn't apply in this case but is nonetheless relevant to the discussion.
I'm also familiar with the Juniper Networks firewall model(s) which I believe are more like the Linux example.

The description of router mapping a port to a host as a necessity clarifies.

My main concern is security and what downside might exist by making these port mappings.  Since the machine performs a very narrow function over a VPN I don't imagine much risk.  But, I thought I'd ask...

Taking another tack:
If an incoming port is "open" in a router/firewall, in the sense that a port is mapped to an inside host/port then:
1) The inside host then takes the security role - for whatever that's worth.  The router/firewall may do something useful but passes destined packets on nonetheless.
2) If the "listener" responds in some way then that's as it must be intended.

What I don't quite get is how the ports are visible if there's a VPN involved.... particularly 80.

Maybe another way to frame the discussion is this?

A "port" is nothing more than an extension to an address like 101 Main St == IP Address and Apt. 3A == Port.  
Consider how a NAT router works in concert with computers on the LAN and applications running on those computers.
How does the router know how to route return packets to a computer?  It assigns a port number / address extension.
How does the router know how to route return packets to an application on a particular computer?  Same thing.
In fact, it may be hard or unusual for the computer/application to be separated and I can but imagine that the same port number applies to their combination.

Considering this perspective then, the app/computer provides a port number and the responding incoming packets use it like an address book entry to reach their destination.

Given this: there are all manner of "ports" that are opened at any instant.  This is why stateful packet inspection is important.  "If you didn't call (ask for a response) then you shouldn't answer" and should ignore anything directed to your address .. like (you'd like) spam would be.
But if there's a need for incoming communication that's initiated outside then there has to be a way to allow it.
This must be where assigned familiar ports come in ... something like that?

I'd be very interested in comments / reactions because this is a "seat of the pants" viewpoint.
n2fc's description above of an open port is exactly right.  Windows firewall looks for responses to packets that were sent.  Other firewalls may do that also but they may also control connections in both directions.

A VPN over port 80 is an outgoing connection the to VPN provider's web service.  It operates similar to a web browser in that regard.

One of the primary purposes of a firewall is to block unwanted incoming requests.  For desired requests, the port must be open as described above.
Dave Baldwin:  Thanks!
A VPN over port 80 is an outgoing connection the to VPN provider's web service.  It operates similar to a web browser in that regard.
So I'd not think that an edge router/firewall would have to have port 80 open in any special way in that all sorts of devices on the subnet would be accessing web services.  No??  So asking that port 80 be open is likely an overkill / make certain / kind of requirement?  Does that make sense?
And would that not also apply to port 443?
SOLUTION
Avatar of n2fc
n2fc
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I was trying to decipher the instructions that say:
Port 80 both ways.
Port 443 both ways.

n2fc:  If you say:
The edge router directs INCOMING traffic on a port (like 80 or 443) to a particular host...
then it seems you'd want to say "how it does that".  Otherwise it doesn't make much sense to me.
But maybe my sentence was poorly structured as the "not" part comes near the beginning.
So I might have said:
I'd think that an edge router/firewall would *not* have to have port 80 open in any special way in that all sorts of devices on the subnet would be accessing web services already.  No??
Interesting.  It seems that's there's a bit of misunderstanding.

I took a look at a popular router with firewall capabilities.
It has "access rules".
You can create an access rule that applies to a port or a range of port.
You can specify the source interface LAN or WAN.
You can specify the range of source IP addresses.
You can specify the range of destination IP addresses.
... and a few other things like scheduling.

In my mind this is much different than port forwarding.  It's permissive and not directive in that context.
More information:

We have a number of RV042 routers in service.  They allow "access rules" in the firewall to open a port and allow it to access a range of IP addresses - such as the full subnet.
Yet, when I look at the simulators for more recent Cisco small bus. routers, they appear to ONLY provide rules that allow access to single IP addresses on the LAN subnet.
That is a huge difference!!  One can but wonder why this change in approach?

Today I have a new requirement which is to allow guests on our guest network to use their VPN clients.  This requires that a set of ports (much like those I started with above) to be open "both ways".  Note I said "guests" plural.  I don't want to have to assign IP addresses to each and every guest nor to write firewall rules for each and every one of those.  And, at that, what does one normally do when there are multiple targets on the LAN for a port?  (Example, 2 or 3 kids running online games).  So, the RV042 approach seems ideal.  

Or, am I being to broad with my interpretation of needs for VPN client operation?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of noci
noci

Qlemo is mostly right...
5033 is commonly used for AVAST Manager, Siemens Building Controllers and whatever else might claim ownership of the service.
And it is by no means usual that ALL outgoing ports are open, esp. in state-full firewall this can be more fine grained.
it is very often the EASY way to configure FW's. Just to cut a few corners of the actual work of MANAGING connections.
In a serious deployment outgoing connections need to be considered as well, possibly involving proxies to enforce rules on content as well as directions.
For what it's worth, TCP port 5033 has been registered by and assigned (along with TCP 5034) to Janstor Technology, according to IANA/ICANN.
See
http://www.iana.org/assignments/service-names-port-numbers
Qlemo:  Thanks for the nice outline!  It should clear up some of the bad information here.  And, I learned something about SPI relative to ports.
Thanks all!