Re: Do most firewall setups allow HTTP traffic through on any port?
From: ClareOldie (ClareOldie_at_nowhere.ie)
Date: 12/12/03
- Next message: Joseph V. Morris: "Re: Looking for a new software firewall Symantec alternatives?"
- Previous message: Allen: "Stubborn trojan?"
- In reply to: Jim Hubbard: "Do most firewall setups allow HTTP traffic through on any port?"
- Next in thread: Jim Hubbard: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Reply: Jim Hubbard: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Dec 2003 16:46:43 -0000
Jim Hubbard wrote:
> Do firewalls care if you connect to an HTTP server on port 80 or
> will they typically allow connections via HTTP on any port?
>
> If this is a configuration issue, do most admins allow HTTP
> traffic outgoing to any port or do they restrict outgoing HTTP
> traffic to port 80?
>
> Thanks.
It is my understanding that almost all firewalls are configured to connect
to remote port 80 HTTP for browsing and disallow other port use for browsing
except maybe for 443 HTTPS.
If the connection request from the client goes out from say port 1024 to
server port 80 then the firewall should only accept a reply from server port
80 to local port 1024.
Option 1 : I can write a webserver that handles HTTP requests on a single
port (80) in rapid succession. However, this severely limits the
scalability and maximum simultaneous clients of the webserver.
I wouldn't have thought the limitation to be severe. See below.
Option 2 : I can also write one that takes the incoming requests on port 80
and assigns each one to a daemon that actually accepts the request and
communicates with the client. This solution would mean that the daemon
communicating with the client is not necc. on port 80 of the webserver but
still the same IP. This maximizes scalability and allows for the maximum
number of simultaneous clients on the webserver.
It is not normal for web servers to hand off the connection to another port.
The firewall will check the incoming headers for the correct address:Port
number.
If these do not agree with where the request was sent the return is ignored.
Maybe you could 'spoof' the port number <G>
And this from Wadester in a different thread:
"What I don't get is why it needs to do this. A server listening to a TCP
port should be able to handle ~64000 connections from a single address.
Anyone expecting that much volume is going to have a server farm anyway. Why
the added complexity of passing off connections to ephemeral ports?"
Just a further thought - other types of connections I am told do use this
scheme but not HTTP.
?FTP?
Regards,
Seán
- Next message: Joseph V. Morris: "Re: Looking for a new software firewall Symantec alternatives?"
- Previous message: Allen: "Stubborn trojan?"
- In reply to: Jim Hubbard: "Do most firewall setups allow HTTP traffic through on any port?"
- Next in thread: Jim Hubbard: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Reply: Jim Hubbard: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
