Firewall & Ports

m4cc45 · 8 Apr 2013 at 06:36

Hi,

I'm just trying to get my head around something.

Essentially:

Firewall port 80 open

Now I know that when I hit port 80 the source port from a client PC is actually a random port due to the fact that I know it uses a random port to stop collisions. So source port might be 50000 or such like. I'm looking into why this works when only port 80 is open - does it tag the packet (like VLAN)? I'm sure I have some videos on this but my mind has gone completely blank.

If someone has a diagram of the packets both ways that would be great.

M.

oldbag · 8 Apr 2013 at 07:21

Normally the outgoing port is random and the incoming port is static.

m4cc45 · 8 Apr 2013 at 08:04

Correct - that's the bit that's fine in my head.

Say I have a http web server.

So I allow port 80 on my browser and port 80 on the webserver. Is that enough ports to allow as I know it's going to be randomised outgoing on the client. Or do I need to allow all of the high ports on the client?

M.

oldbag · 8 Apr 2013 at 08:12

On the web server you just open port 80. Like:

Allow tcp from any any 80 in

m4cc45 · 8 Apr 2013 at 08:21

That's fine - I'm wondering about outbound from the webserver and inbound on the client.

Assume from the webserver it's just port 80 but what about the client?

M.

dfarrall · 8 Apr 2013 at 08:40

It depends what services web server is running, such as SSL and HTTPS.
It could be going through 443 or others. Adjusting outgoing firewall rules is a VERY hard task because a lot of it isn't predictable. The outbound port will be 80 for a standard web-server though, but the destination port will be specified by the client.

The inbound for the client will be the same as the outbound, made up randomly as not to interfere with other applications.

GhostlyPea · 8 Apr 2013 at 08:52

m4cc45 said:
That's fine - I'm wondering about outbound from the webserver and inbound on the client.

Assume from the webserver it's just port 80 but what about the client?

M.

Judging by what yourasking:

Modern firewalls are stateful, which is why this works. After an inbound connection is received an entry is placed in the state table indicating the connection as come through.This is then monitored and all return traffic in that session is permitted automatically (For that session only). In essence, a temporary return rule is added at the top of the outbound access list.

That's a very basic overview but should explain

- GP

Edit - adding in an example:

Clint to server - From 55.55.55.10:45678 to 66.66.66.10:80

This hits the rule on the firewall as it will b configured (usually for a webserver) to just allow to port 80 with no other restrictions. If this traffic matches, which is does, then an entry is added to the state table and a sudo rule added in the outbound access list:

Server to client - 66.66.66.10:80 to 55.55.55.10:45678

Note of course this example doesn't take into account nat or any other services running on the firewall and that this is really an example. It isn't exactly like this in real operation, but demonstrates it well enough

m4cc45 · 8 Apr 2013 at 10:39

Ta. That's what I thought.

Thanks!

M.