Re: Do most firewall setups allow HTTP traffic through on any port?
From: Jim Hubbard (valid_at_email.address)
Date: 12/12/03
- Next message: Thomas Hertel: "Re: What to do about attacks?"
- Previous message: Zenner: "Re: secure remote and contivity client"
- In reply to: ClareOldie: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Next in thread: ClareOldie: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Reply: ClareOldie: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Dec 2003 16:22:58 -0500
Thanks for your thoughts!
Does FTP do hand-off to other ports?
Jim
"ClareOldie" <ClareOldie@nowhere.ie> wrote in message
news:UjmCb.487$HR.1649@news.indigo.ie...
>
>
> Jim Hubbard wrote:
> > Do firewalls care if you connect to an HTTP server on port 80 or
> > will they typically allow connections via HTTP on any port?
> >
> > If this is a configuration issue, do most admins allow HTTP
> > traffic outgoing to any port or do they restrict outgoing HTTP
> > traffic to port 80?
> >
> > Thanks.
> It is my understanding that almost all firewalls are configured to connect
> to remote port 80 HTTP for browsing and disallow other port use for
browsing
> except maybe for 443 HTTPS.
>
> If the connection request from the client goes out from say port 1024 to
> server port 80 then the firewall should only accept a reply from server
port
> 80 to local port 1024.
>
> Option 1 : I can write a webserver that handles HTTP requests on a single
> port (80) in rapid succession. However, this severely limits the
> scalability and maximum simultaneous clients of the webserver.
>
> I wouldn't have thought the limitation to be severe. See below.
>
> Option 2 : I can also write one that takes the incoming requests on port
80
> and assigns each one to a daemon that actually accepts the request and
> communicates with the client. This solution would mean that the daemon
> communicating with the client is not necc. on port 80 of the webserver but
> still the same IP. This maximizes scalability and allows for the maximum
> number of simultaneous clients on the webserver.
>
> It is not normal for web servers to hand off the connection to another
port.
> The firewall will check the incoming headers for the correct address:Port
> number.
> If these do not agree with where the request was sent the return is
ignored.
> Maybe you could 'spoof' the port number <G>
>
> And this from Wadester in a different thread:
> "What I don't get is why it needs to do this. A server listening to a TCP
> port should be able to handle ~64000 connections from a single address.
> Anyone expecting that much volume is going to have a server farm anyway.
Why
> the added complexity of passing off connections to ephemeral ports?"
>
> Just a further thought - other types of connections I am told do use this
> scheme but not HTTP.
> ?FTP?
>
> Regards,
> Seán
>
>
- Next message: Thomas Hertel: "Re: What to do about attacks?"
- Previous message: Zenner: "Re: secure remote and contivity client"
- In reply to: ClareOldie: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Next in thread: ClareOldie: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Reply: ClareOldie: "Re: Do most firewall setups allow HTTP traffic through on any port?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
