Port 80 - TCP-IP

This is a discussion on Port 80 - TCP-IP ; I'm a little confused about how a webbrowser gets through a router/ firewall. And how port 80 is secure if its "open". I've seen little java apps and programs like Bomgar ( www.bomgar.com ) that use port 80 to get ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Port 80

  1. Port 80

    I'm a little confused about how a webbrowser gets through a router/
    firewall. And how port 80 is secure if its "open". I've seen little
    java apps and programs like Bomgar ( www.bomgar.com ) that use port 80
    to get around router/firewall restrictions and to allow RDP sessions.

    My guess is your webrowser uses random ports to contact the webserver,
    which is on port 80. The webserver then sends back to the random
    port... ? But isnt that random port blocked by the firewall/router?
    I'm confused about this

    I assume all the little remote desktop apps are doing something
    similar, encapsulating their stuff in http.... ? So then cant viruses
    etc do the same thing?


    Any info would be greatly appreciated

    Thanks



  2. Re: Port 80

    On May 22, 7:02*pm, Dennis wrote:
    > I'm a little confused about how a webbrowser gets through a router/
    > firewall. And how port 80 is secure if its "open". I've seen little
    > java apps and programs like Bomgar (www.bomgar.com) that use port 80
    > to get around router/firewall restrictions and to allow RDP sessions.
    >
    > My guess is your webrowser uses random ports to contact the webserver,
    > which is on port 80. The webserver then sends back to the random
    > port... ? But isnt that random port blocked by the firewall/router?
    > I'm confused about this
    >
    > I assume all the little remote desktop apps are doing something
    > similar, encapsulating their stuff in http.... ? So then cant viruses
    > etc do the same thing?



    HTTP connections all use TCP. Most packet filtering firewalls track
    the entire connection, so if a connection was established from an
    (internal) client at 1.2.3.4:1234 to the (external) web server at
    80.1.2.3:80, the firewall will know to let the packets headed to the
    client pass, since each IP packet will have all four pieces of that
    data. FWIW, it is exactly those four pieces (source IP, source port,
    target IP, target port) that identify a TCP connection.

  3. Re: Port 80

    On May 22, 9:11*pm, "robertwess...@yahoo.com"
    wrote:
    > On May 22, 7:02*pm, Dennis wrote:
    >
    > > I'm a little confused about how a webbrowser gets through a router/
    > > firewall. And how port 80 is secure if its "open". I've seen little
    > > java apps and programs like Bomgar (www.bomgar.com) that use port 80
    > > to get around router/firewall restrictions and to allow RDP sessions.

    >
    > > My guess is your webrowser uses random ports to contact the webserver,
    > > which is on port 80. The webserver then sends back to the random
    > > port... ? But isnt that random port blocked by the firewall/router?
    > > I'm confused about this

    >
    > > I assume all the little remote desktop apps are doing something
    > > similar, encapsulating their stuff in http.... ? So then cant viruses
    > > etc do the same thing?

    >
    > HTTP connections all use TCP. *Most packet filtering firewalls track
    > the entire connection, so if a connection was established from an
    > (internal) client at 1.2.3.4:1234 to the (external) web server at
    > 80.1.2.3:80, the firewall will know to let the packets headed to the
    > client pass, since each IP packet will have all four pieces of that
    > data. *FWIW, it is exactly those four pieces (source IP, source port,
    > target IP, target port) that identify a TCP connection.


    Okay tell me if I'm understanding you: you're saying my computer is
    sending outwards on port 1234 and my router & firewall "will know to
    let the packets headed (back) to the client pass"... ?

    A few more questions:

    1) For how long will it keep port 1234 "open"?
    2) Is it "vulnerable" during that time?
    3) Will it only respond to the 80.1.2.3 site it originally talked to?





  4. Re: Port 80

    Dennis wrote:
    > I'm a little confused about how a webbrowser gets through a router/
    > firewall. And how port 80 is secure if its "open". I've seen little
    > java apps and programs like Bomgar ( www.bomgar.com ) that use port 80
    > to get around router/firewall restrictions and to allow RDP sessions.
    >
    > My guess is your webrowser uses random ports to contact the webserver,
    > which is on port 80. The webserver then sends back to the random
    > port... ? But isnt that random port blocked by the firewall/router?
    > I'm confused about this
    >
    > I assume all the little remote desktop apps are doing something
    > similar, encapsulating their stuff in http.... ? So then cant viruses
    > etc do the same thing?
    >
    >
    > Any info would be greatly appreciated
    >
    > Thanks
    >
    >


    A simple firewall does little more than open a hole (e.g.: destination
    port 80) in the firewall, and provision a return path for returning packets.

    Other applications (non-HTTP) may be tunneled through the open port.

    A more competent firewall can inspect outbound traffic to ensure that it
    is legitimate HTTP traffic by examining the commands that are passed,
    and ensuring that they comply with the HTTP standard(s). A competent
    firewall can determine whether the traffic is IM, P2P, or some other
    traffic being tunneled through port 80. You would then configure an
    action to be taken when these are identified (drop packet, reset
    connection, allow to pass, etc.).

    Not all firewalls are created equal. You get what you pay for.

    Best Regards,
    News Reader

  5. Re: Port 80

    Dennis wrote:
    > On May 22, 9:11 pm, "robertwess...@yahoo.com"
    > wrote:
    >> On May 22, 7:02 pm, Dennis wrote:
    >>
    >>> I'm a little confused about how a webbrowser gets through a router/
    >>> firewall. And how port 80 is secure if its "open". I've seen little
    >>> java apps and programs like Bomgar (www.bomgar.com) that use port 80
    >>> to get around router/firewall restrictions and to allow RDP sessions.
    >>> My guess is your webrowser uses random ports to contact the webserver,
    >>> which is on port 80. The webserver then sends back to the random
    >>> port... ? But isnt that random port blocked by the firewall/router?
    >>> I'm confused about this
    >>> I assume all the little remote desktop apps are doing something
    >>> similar, encapsulating their stuff in http.... ? So then cant viruses
    >>> etc do the same thing?

    >> HTTP connections all use TCP. Most packet filtering firewalls track
    >> the entire connection, so if a connection was established from an
    >> (internal) client at 1.2.3.4:1234 to the (external) web server at
    >> 80.1.2.3:80, the firewall will know to let the packets headed to the
    >> client pass, since each IP packet will have all four pieces of that
    >> data. FWIW, it is exactly those four pieces (source IP, source port,
    >> target IP, target port) that identify a TCP connection.

    >
    > Okay tell me if I'm understanding you: you're saying my computer is
    > sending outwards on port 1234 and my router & firewall "will know to
    > let the packets headed (back) to the client pass"... ?


    A port is opened on your client to facilitate the TCP connection to the
    server. With HTTP, this client port will be >1023. The server will have
    an open port (TCP 80) on which it is listening for connections.

    The packet(s) sent by the client has a TCP source port >1023, and a TCP
    destination port of 80. The firewall is configured to permit traffic
    sent to TCP port 80 and therefore permits the outbound connection. The
    firewall anticipates a response from the server and recognizes the
    return traffic based on the IP addresses and port numbers in the
    returning traffic. Packets sent by the server have a TCP source port of
    80, and a TCP destination port >1023 (matching the port used by the client).

    >
    > A few more questions:
    >
    > 1) For how long will it keep port 1234 "open"?


    Forget port 1234. When a TCP connection is initiated by the client it
    passes through the open hole in the firewall (destination port 80). The
    firewall tracks connection initiation and is anticipating a response
    from the server. If the server does not respond within a short period of
    time (configurable, or defaults), the connection info will be purged. It
    is undesirable for the firewall to tie up its resources with half-open
    connections.

    A TCP connection requires a three-way handshake between the two hosts.

    > 2) Is it "vulnerable" during that time?


    When the client and server tear down the TCP connection, session
    information will be purged by the Firewall.

    > 3) Will it only respond to the 80.1.2.3 site it originally talked to?
    >


    If you are referring to a NAT router/Firewall, connections can not be
    initiated from the outside unless you have configured it to do so (port
    forwarding).

    The traffic from the server was permitted because the connection
    initiation occurred on the inside interface.

    Best Regards,
    News Reader

  6. Re: Port 80

    On May 22, 8:52*pm, Dennis wrote:
    > On May 22, 9:11*pm, "robertwess...@yahoo.com"
    >
    >
    >
    >
    >
    > wrote:
    > > On May 22, 7:02*pm, Dennis wrote:

    >
    > > > I'm a little confused about how a webbrowser gets through a router/
    > > > firewall. And how port 80 is secure if its "open". I've seen little
    > > > java apps and programs like Bomgar (www.bomgar.com) that use port 80
    > > > to get around router/firewall restrictions and to allow RDP sessions.

    >
    > > > My guess is your webrowser uses random ports to contact the webserver,
    > > > which is on port 80. The webserver then sends back to the random
    > > > port... ? But isnt that random port blocked by the firewall/router?
    > > > I'm confused about this

    >
    > > > I assume all the little remote desktop apps are doing something
    > > > similar, encapsulating their stuff in http.... ? So then cant viruses
    > > > etc do the same thing?

    >
    > > HTTP connections all use TCP. *Most packet filtering firewalls track
    > > the entire connection, so if a connection was established from an
    > > (internal) client at 1.2.3.4:1234 to the (external) web server at
    > > 80.1.2.3:80, the firewall will know to let the packets headed to the
    > > client pass, since each IP packet will have all four pieces of that
    > > data. *FWIW, it is exactly those four pieces (source IP, source port,
    > > target IP, target port) that identify a TCP connection.

    >
    > Okay tell me if I'm understanding you: you're saying my computer is
    > sending outwards on port 1234 and my router & firewall "will know to
    > let the packets headed (back) to the client pass"... ?
    >
    > *A few more questions:
    >
    > 1) For how long will it keep port 1234 "open"?
    > 2) Is it "vulnerable" during that time?
    > 3) Will it only respond to the 80.1.2.3 site it originally talked to?



    Port 1234 isn't really open - it's only that connection with that set
    of internal and external IP addresses and ports that's "open." The
    firewall sees the internal host establish the connection (an outgoing
    TCP SYN packet with those four parameters), and then can identify the
    subsequent packets for that connection based on those four parameters
    (since those will be in each packet, with the sending and receiving
    fields swapped depending on which direction the packet is flowing).

    Usually the firewall will keep the connection open so long as there's
    traffic flowing, and some sort of timeout applies if the connection is
    idle (IOW established, but with no data flowing). That can
    occasionally cause problem for applications that open TCP connections
    and leave them idle for long periods. When the connection is shut
    down byt eh client or server, the firewall will typically close the
    hole (usually at least some exceptions are made so that some
    additional FIN or RST packets can get through so that both side can
    shut down cleanly even if there needs to be a retransmission during
    the shutdown process).

    If someone spoofs a packet as being from the external IP address and
    port, and sends it to the internal IP address and port during the
    interval that the firewall has the connection open, it will be passed
    by many firewalls, and if itís something the internal host responds to
    badly, that can be a problem.

    Note that there are other firewalling techniques, like proxying, which
    works rather differently.

  7. Re: Port 80

    On May 22, 6:52*pm, Dennis wrote:

    > *A few more questions:
    >
    > 1) For how long will it keep port 1234 "open"?


    It doesn't open port 1234.

    > 2) Is it "vulnerable" during that time?
    > 3) Will it only respond to the 80.1.2.3 site it originally talked to?


    Your questions make no sense. If the firewall is stateful (that is, it
    remembers connections) it will allow through packets that are part of
    this connection. If the firewall is stateless, it will allow through
    packets that are to or from the web server's port 80.

    DS

+ Reply to Thread