Re: port numbers need

From: Gary K (dabigfinndog@icqmail.com)
Date: 12/24/02 

From: "Gary K" <dabigfinndog@icqmail.com>
Date: Tue, 24 Dec 2002 08:43:34 -0800

Karl,

Thanks for the reply.

I put a packet sniffer on my machine, connected to WU and my source port
ranged from 3109 to 3141 for that whole session. I actually downloaded an
update. What happened though during the liveupdate session though was the
connection I had changed from one IP address to another one in a completely
different block of addresses, i.e. 207.xxx.xxx.xxx to 65.xxx.xxx.xxx. At
first I thought that was from a popup add or something, but there aren't any
of those on the WU site. I ran a trace on both addresses and both netblocks
belonged to Microsoft so my assumption is that both IP's were involved in
the connection, scanning, and downloading that takes place in the
downloading of an update. Both IP's had a fair share of the "volume" of
the traffic. My download was pretty small so it was hard to tell exactly
which IP address the download came from. If I had downloaded something like
a service pack it might have been much easier to tell.

"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:e1vjBN2qCHA.1132@TK2MSFTNGP12...
> I haven't checked into it too closely, but all I'm seeing using
NETSTAT -AN
> is TCP connections from me:>1024 to microsoft:80
>
> I have a gut feeling that if Windows Update didn't work with non-stateful
> filtering like Windows 2000 TCP/IP Filtering, we'd have heard about it a
> while ago.
>
>
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:uoHTDK2qCHA.2488@TK2MSFTNGP12...
> > Yes. This could be an issue. But you just have to make sure your rules
> > and/or packet filtering technology allows for such a thing. While one
of
> > the ports on those packets will be a high ephemeral port, the other port
> > would always be TCP 80, which can help identify what the packet is and
> > permit it through. Also, certain TCP flags such as SYN and ACK could
help
> > try to identify the direction / state of the packet / socket and whether
> it
> > should be permitted.
> >
> > Note that if this was the problem, all web browsing would be blocked,
not
> > just Windows Update. This person probably wouldn't even be able to get
to
> > www.windowsupdate.com The first thing I would suspect is that TCP 80 is
> not
> > being used by WU, and without having documentation on WU, the next thing
I
> > would do is want to log the traffic using a firewall or sniffer to see
> > exactly what is going on.
> >
> >
> > "Gary K" <dabigfinndog@icqmail.com> wrote in message
> > news:#QXbJnsqCHA.2148@TK2MSFTNGP09...
> > > Karl,
> > >
> > > Just for my own info. Wouldn't WU return connection be one of the
ports
> > > above 1025, and be random each time as it is accessed via http?
> > >
> > > That seems to be my conclusion after looking at the output from my
> packet
> > > sniffer. The source port varies not only each time I connect to WU,
but
> > > even during the same session it will vary depending on what each
session
> > > seems to be doing. The connection is actually made to a couple of
> > different
> > > servers. In this case the only way to get a return behind a firewall
> even
> > > is one that does stateful packet inspection--a firewall that keeps
track
> > of
> > > tcp connections.
> > > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > > news:u#R47frqCHA.1964@TK2MSFTNGP09...
> > > >
> > > > "josh" <joshk@directairnet.com> wrote in message
> > > > news:001f01c2aab4$97222df0$d7f82ecf@TK2MSFTNGXA14...
> > > > > I've started ip packect filtering on my windows 2000
> > > > > server.but now I can't scan for windows updates on any of
> > > > > my systems behind the filters. what I need to know is what
> > > > > ports windows updates use? the message I get is no updates
> > > > > are available for you computer.please help me if you can
> > > > > thank you for your time
> > > >
> > > > Try disabling packet filtering and using a sniffer, or really you
> > should
> > > > use a real firewall that includes logging so that you can check the
> > logs.
> > > > Unless you're somewhat expert at IP, you'll run into this problem
> again
> > as
> > > > long as you have no logs.
> > > >
> > > > http://securityadmin.info/faq.htm#firewall
> > > > http://securityadmin.info/faq.htm#sniffer
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: IPFW Dynamic Rules
    ... > So if the dynamic rule has the same behaviour as the origination ... > rule on the same port with the same protocol, ... If client sends UDP query to DNS on your machine, you get the packet: ... is deleted after connection is inactive for some time. ...
    (FreeBSD-Security)
  • Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ?
    ... Your system initiated a connection. ... your computer sends a TCP packet with the SYN ... Process 912 on your system sent a packet from port 1058 ... hoping to connect to the web server running on port 80 ...
    (comp.security.firewalls)
  • Re: Firewalls in FreeBSD?
    ... ONLY allow data back on these ports IF the windows box has established the connection out first then deny everything else. ... ${fwcmd} add allow tcp from any to any out via x10 setup keep-state ... NAT gateway translates packet (where "natgw" is ... NAT gateway drops packet destined to WAN IP port abc, ...
    (freebsd-questions)
  • Re: Dropping SSH connections over the internet
    ... Packet corruption will not cause this. ... then the connection will drop. ... the incoming connection port gets mapped to another port on the outbound ... The router has to maintain a list of used ports as each connection gets ...
    (Ubuntu)
  • Windows XP pro Packet Filtering, want to block kazaa
    ... One of my user is downloading from Kazaa like mad and I wanted to ban kazaa ... blocks a certain port, but kazaa can just use any random port to download, ... I want a packet filtering software that sniff the incomming packets and ...
    (microsoft.public.windowsxp.security_admin)