Welcome! Log In Create A New Profile

Advanced

Allow all traffic on set ports?

Posted by Anonymous User 
Anonymous User
Allow all traffic on set ports?
December 29, 2009 07:40AM
Is it possible to have Peeblock allow traffic on set ports? For example I would like peetblock to allow all traffic on ports 30033 9987 and 1011. I'm running a ts3 server and every great now and then I get someone trying to connect that's connecting from a blocked ip. I'm not always around to catch it if a persons having a issue like that. I also run utorrent on my server so I can turn my main machine off when not using it.
Re: Allow all traffic on set ports?
December 29, 2009 07:59AM
Heya wardave.

I think you're talking about Issue #22 which is being tracked here (link: [code.google.com] ). If you're interested in this feature, you should Star this issue. Stars are used to tell how interested the community is to see certain feature so that people at PeerBlock may use these numbers as prioritizing method when planning on what to do next. No guarantees of course, but they generally prioritize things what the community like to see most.
Re: Allow all traffic on set ports?
December 29, 2009 07:34PM
avatar
Yep, we actually have a first "draft" of a fix for that issue ready for test by our Internal Test Team (thanks, night_stalker_z!), as soon as I generate a new Test Release.  The next Beta Release should include it, once some of the changes we've put in lately have a chance to stabilize.

        ---  Mark  ---




Lead developer of PeerBlock
Anonymous User
Re: Allow all traffic on set ports?
January 06, 2010 03:51AM
The only thing I am interested in is the ability to allow all ports unless a specified port is used to or from the computer. I am not interested in the ability to set specific ports to be allowed, I am interested in allowing ALL traffic EXCEPT for those that have specified ports used to or from my machine. Those few exceptions would be blocked if the ip address connecting to or from my system falls within the blocked lists, and all other connections that do not use the specified ports would be allowed regardless of the block lists.

I am requesting an allow all but specified used ports option.

I at first did not think that this would be useful with the program utorrent since the program by default uses any available port to make outgoing connections, but an option exists inside of utorrent to restrict outgoing connections to use specified outgoing ports that can be the same as the specified incoming ports. And since it is a simple matter to detect what ports are being used, I see no reason why PeerPlock can not be made to allow all traffic unless specific targeted ports or a range of ports are used.

This ability would finally make this program somewhat useful to me for once without crippling almost every other internet application I use. I would no longer need to always allow http ports or add allow exceptions to use other applications on the internet.

Please make this dream a reality, soon if possible.



Edited 2 time(s). Last edit at 02/10/2010 02:03PM by BigRedBrent.
Re: Allow all traffic on set ports?
January 06, 2010 04:31AM
You could use this feature to set PeerBlock an allow rule for all ports to allow all traffics from these ports and then manually remove an allow rule for an individual port. According to wiki (link: [en.wikipedia.org] ), there are 65535 ports.

Regarding uTorrent. The moment you're connected to any tracker, not only your uTorrent port number, but also your IP has been given out. There is a chance that some may try to connect to your IP via different port. This is probably why some hasn't thought about your suggested feature before.
Anonymous User
Re: Allow all traffic on set ports?
January 06, 2010 06:01AM
The thing is that I have it set up now so that a single port must be used to either connect to me or to be used when connecting to anyone even if I am connecting to a different external port. The internally used port is still always the same. This is an option within the advanced settings of utorrent.

So no matter what, that port will show up in either the source or destination log. And since this is the case it should not be too difficult to add some way to have PeerBlock only block addresses if specified ports are used for either the source or destination.

I did think of this once before, but I did not know about the ability to restrict the used port for the outgoing connection in utorrent. I have again brought this up because I have discovered that it is 100% feasible now and would work very well.

Since I set utorrent to use a single port for outgoing connections, I have so far not discovered a single connection to or from my utorrent application that has not used the specified port in at least the source or destination. Even if connecting to a different destination port, the source port is still always connecting to the destination port using the specified port.



Edited 2 time(s). Last edit at 01/06/2010 06:14AM by BigRedBrent.
Re: Allow all traffic on set ports?
January 06, 2010 08:17AM
avatar
Hi BigRedBrent,

The new port clocking feature should let you allow all traffic on all but one specific port.

This is a very new feature to PeerBlock, and of course still has a few kinks in it, so it will be a little way off; perhaps a month or so.

Check out the link mentioned by Tippy earlier in this thread [code.google.com] . i'll qoute him:


Tippy Wrote:
-------------------------------------------------------

> I think you're talking about Issue #22 which is
> being tracked here (link:
> [code.google.com] ).
> If you're interested in this feature, you
> should Star this issue. Stars are used to tell how
> interested the community is to see certain feature
> so that people at PeerBlock may use these numbers
> as prioritizing method when planning on what to do
> next. No guarantees of course, but they generally
> prioritize things what the community like to see
> most.

One thing Tippy didn't mention; you will also receive a notification of when anything related to this issue happens. For example, when it is released for public testing, you will be notified.

I hope that clears things up for you,

Cheers!
Anonymous User
Re: Allow all traffic on set ports?
January 06, 2010 02:28PM
hoodadilly Wrote:
-------------------------------------------------------
> Hi BigRedBrent,
>
> The new port clocking feature should let you allow
> all traffic on all but one specific port.


I am more interested in the ability to have a specific list that would target specific ports to be always filtered no matter what if it is detected in the source or destination.

So if this ability will allow you to set specific ports to be allowed, will you then be able to then set specific ports to always be filtered no matter what even if one of the ports used may be in the allowed list?

This is a very important distinction, because if it can not do this, then it is useless to me.

Because if you allow all ports but one, wouldn't that port still not get filtered if it is the source port and a different outgoing destination port is in the allowed ports list?

The only way I can think of to get around this is to allow all ports and then have a separate blocking port list that would look for ports in both the destination and source to make sure those used ports are always being filtered.



Edited 1 time(s). Last edit at 01/06/2010 03:01PM by BigRedBrent.
Re: Allow all traffic on set ports?
January 06, 2010 04:34PM
avatar
hey bigredbrent, just a quick question regarding utorrent, do you download any illegals? its ok if you do, some of us do, i bring this up because if you do download illegals and only use one port the chances are higher for getting caught, but say if you selected "randomize port upon each start of utorrent" in the settings it uses a different port each time you start utorrent thus making it harder for people monitoring you, i dont know if you knew i didnt and someone told me and thought id tell you in case you didnt, if you dont download illegals then disregard this post.
Anonymous User
Re: Allow all traffic on set ports?
January 06, 2010 09:16PM
brandonjm8 Wrote:
-------------------------------------------------------
> hey bigredbrent, just a quick question regarding
> utorrent, do you download any illegals? its ok if
> you do, some of us do, i bring this up because if
> you do download illegals and only use one port the
> chances are higher for getting caught, but say if
> you selected "randomize port upon each start of
> utorrent" in the settings it uses a different port
> each time you start utorrent thus making it harder
> for people monitoring you, i dont know if you knew
> i didnt and someone told me and thought id tell
> you in case you didnt, if you dont download
> illegals then disregard this post.

Regardless, only a certain range of ports are delegated, and it would be nice to only and always have those ports filtered even if they are used in conjunction with ports that are allowed. It is not difficult to detect peer to peer activity anyway even if more then one port is used. The main reason you may want to randomize them is so that port throttling or blocking does not become an issue from an ISP that actively tries to limit such behavior.
Re: Allow all traffic on set ports?
January 06, 2010 11:57PM
avatar
BigRedBrent Wrote:
-------------------------------------------------------

> The main
> reason you may want to randomize them is so that
> port throttling or blocking does not become an
> issue from an ISP that actively tries to limit
> such behavior.


such as mine, LOL



Edited 1 time(s). Last edit at 01/06/2010 11:58PM by brandonjm8.
Re: Allow all traffic on set ports?
January 07, 2010 06:13AM
avatar
The port that will be checked will be the port used on your machine.

If the packet is outgoing, it will be the source port checked. if the packet is incoming, it will be the destination port.

If you only set up utorrent to initiate connections on one port (say 5000) and only allow incoming connections on port 5000, and have PB set up to filter port 5000 only (allowing all other ports), then all connections that go through utorrent will be filtered, but all other connections (with the unlikely exception of another program using port 5000) will be allowed without question.

Personally i would suggest using block lists on all ports however, as other software - not just p2p apps - can be dangerous (for example the recent exploit of adobe reader).

Just to be sure, I'm confirming the information i've given you on an internal forum, as i've said this feature is very new.
Re: Allow all traffic on set ports?
January 08, 2010 07:13PM
avatar
Just a quick update;

It seems I was wrong, the port used on either the source or the destination will be filtered;

If both your incoming and outgoing port on utorrent is the same (5000 & 5000) however, this will have the same effect as i explained in my last post.

Hopefully night_stalker_z (the dev who is implementing this feature) will pop over here to confirm - i'm still a little confused myself... :$
Re: Allow all traffic on set ports?
January 08, 2010 07:40PM
avatar
Both the destination and source ports will be checked against the ports that you allow

e.g. if you allow port 5000 and either the source uses port 5000 or the destination uses 5000, it will be allowed to go through otherwise it gets blocked.
Re: Allow all traffic on set ports?
January 09, 2010 03:08AM
avatar
Thanks night_stalker_z smiling smiley
Anonymous User
Re: Allow all traffic on set ports?
February 10, 2010 02:15PM
night_stalker_z Wrote:
-------------------------------------------------------
> Both the destination and source ports will be
> checked against the ports that you allow
>
> e.g. if you allow port 5000 and either the source
> uses port 5000 or the destination uses 5000, it
> will be allowed to go through otherwise it gets
> blocked.


I am looking for the exact opposite behavior. Is there any way a "force port filtering list" can be added on top of this port allowing feature, that would check both the outgoing and incoming ports and make sure specified ports are always being filtered even if they are included in the allowed port list?

This would be perfect for for me since I could allow all ports, and then individually add all the ports I want to always be filtered into the "force port filtering list".



Edited 4 time(s). Last edit at 02/10/2010 02:18PM by BigRedBrent.
Anonymous User
Re: Allow all traffic on set ports?
February 16, 2010 10:24PM
BigRedBrent Wrote:
-------------------------------------------------------
> Is there any way a "force port filtering list" can be
> added on top of this port allowing feature, that
> would check both the outgoing and incoming ports
> and make sure specified ports are always being
> filtered even if they are included in the allowed
> port list?
>
> This would be perfect for for me since I could
> allow all ports, and then individually add all the
> ports I want to always be filtered into the "force
> port filtering list".


Anyone able to tell me if this will be added to the functionality? It would be just as useful to be able to also specify what ports (both incoming and outgoing) should always be filtered even if they are included in the allow port list.



Edited 1 time(s). Last edit at 02/16/2010 10:33PM by BigRedBrent.
Re: Allow all traffic on set ports?
March 02, 2010 01:43PM
avatar
This should be doable under the scheme night_stalker_z is talking about.  If you only want port 3000 filtered you can create one rule allowing ports 0-2999, and another rule allowing ports 3001-65535.

        ---  Mark  ---




Lead developer of PeerBlock
Anonymous User
Re: Allow all traffic on set ports?
April 14, 2010 12:46AM
MarkSide Wrote:
-------------------------------------------------------
> This should be doable under the scheme
> night_stalker_z is talking about. If you only
> want port 3000 filtered you can create one rule
> allowing ports 0-2999, and another rule allowing
> ports 3001-65535.
>
>         ---  Mark 
> ---


Yes, but what would this exactly do? What if someone uses source port 7070 to connect to you on port 3000? Would this still allow the connection to go though unfiltered because they used port 7070 to connect to you with, even though you only have port 3000 open, and did not put 3000 in the allow list but 7070 is? If it is looking for both incoming and outgoing ports, will it use either that is listed in the allow list.



Edited 6 time(s). Last edit at 04/14/2010 01:13AM by BigRedBrent.
Anonymous User
Re: Allow all traffic on set ports?
April 14, 2010 01:13AM
night_stalker_z Wrote:
-------------------------------------------------------
> Both the destination and source ports will be
> checked against the ports that you allow
>
> e.g. if you allow port 5000 and either the source
> uses port 5000 or the destination uses 5000, it
> will be allowed to go through otherwise it gets
> blocked.


It sounds like this method of allowing will require an additional force filtering list.

From what I can tell this is going to require an additional force filtering list, so that you can allow all the ports that you want to be allowed and then add ports to the force filtering list that will override the port allow list forcing them again to be filtered.

And on top of that, how about the option to specify in the list exactly what direction and end the ports will be exempt from filtering for? So each port entry to the allow list would have four additional options that could be added with check boxes. The four additional options would be: Allow external source on incoming connections, Allow local source on outgoing connections, Allow local source on incoming connections, and Allow external source on outgoing connections.

Honestly I can not think of a simpler way to fix this problem other then to simply add the ability to specify ports you want to make sure are always filtered even if they are in the allow list. The ability to specify what direction and connection end to always make sure are filtered would be useful in this force filtering list as well.

But even without all the control of being able to specify exactly what direction and end to filter or allow, the ability to make sure some ports are always filtered even if they are in the allow list is absolutely essential and a requirement for my needs.



I can not stress enough how important the ability to add a force port filtering list that overrides the allow port list would be. You would simply add the ports you want to allow into the allow list, and then add the ports you want to force filtering for in the force port filtering list to have those ports filtered again. Without this force port filtering list I would have no use what so ever for a port allowing list. So please, I beg of you to add a force port filtering option along with this allow port option.

I am sick to death of having ports being filtered that do not need to be, but without a force port filtering list I would still need to have all ports filtered or risk an external port being allowed when it should not be.



Edited 6 time(s). Last edit at 04/14/2010 01:54AM by BigRedBrent.
Anonymous User
Re: Allow all traffic on set ports?
April 14, 2010 04:09PM
Quote

Comment 36 by peerblockproject

First off, the thing to remember is that we have two drivers - one for XP/2000, and one for Vista/7 - and that they both work in different ways.  As far as the current discussion goes, the Vista driver will allow us to specify "Allow outgoing port 80 ONLY", while the XP driver will require "Allow outgoing port 80 and incoming port 80".  This is due to the way our XP driver receives notification of network connections from the OS.  "Outgoing" means source=localip: destination=nonlocalip:, and "Incoming" means source=nonlocalip: dest=localip:.

So if you're running on Vista/7 you should have no problems, but if you're on XP/2000 this feature may not be the best in the world.  Note that this is how "Allow HTTP" works on XP as well - actually it's worse, as you're allowing all traffic with source/dest-port of 80/443.  To change this for XP we'd need to rewrite our driver from being a firewall filter-hook driver to an NDIS Intermediate filter-driver, which is expected to change our XP driver-code from 2-300 lines of code to 2-3000 lines.  If you (or anyone else reading this) are a Windows driver dev and would like to spend a few weeks working on a driver rewrite, let us know!

The default will be to "block" (meaning "filter against your lists") all ports.  If you want to configure PeerBlock to only filter traffic on one port (say 12345 for example purposes) in both directions, you can create an allow-port range of "port 0-12344 in both directions" and another allow-port range of "port 12346-65535 in both directions" . . . thereby leaving just port 12345 filtered, in both directions.

Many programs can also be configured to *only* send/receive traffic on a specific port or port-range.  Once this feature is available, if you start using it we strongly recommend auditing your network software to enable these features.  For example, many people would want to prevent their P2P app from ever communicating out one of those allowed-ports.

Hope that helps clarify the discussion - I really think your needs will be addressed by the current in-progress solution...
 

I am not a mathematical genius, but I am not an idiot either. It is not difficult to explain complex concepts to me so that I may understand. I want to point out that the connections I want to be filtered never seem to use the same source and destination port for both incoming and outgoing connections. The local side of the connection is always the same port and the external side always uses a random port.

Please at the very lest let me know if I am not correct about this first part of my reasoning. A connection can use more then one port (regardless of the direction of the connection), the source and the destination. If one of those ports are in the allow port list then that connection will not be filtered. This leaves a huge security risk open if the other port used should never be left unfiltered. Is this just not the case at all, because it very much looks to be the case (at least when using xp, although the risk is still present to some degree with vista/win7)? I see no reason why not to add the ability to plug this security hole as I have requested.

Without adding an additional force port filtering list, I can not possibly imagine how my needs will be addressed even a little bit. Your descriptions have only confirmed what I had been assuming the behavior would be. What you are telling me is that if I add one port to the allow list then ports used in conjunction with that allowed port will also be allowed. But what if I know of some ports that I NEVER EVER EVER EVER want to be allowed in conjunction with ANY ports?

You admit that the feature you are implementing is a security risk, but from the information describing how this will work it is a fact that this will be an even bigger security risk without a safety measure to ensure that some ports are always filtered even if used in conjunction with allowed ports.

I do not care about the difference between xp and vista detection because for the most part a force port filtering list would make sure that the most important ports are always filtered even though they would otherwise be allowed because of the limitations of the allow list.

And this is exactly why a force port filtering feature must be added along with this port allowing feature, because it has such a limitation when it comes to making sure that some ports are always filtered. It is a huge security risk to let just any port be allowed just because the other end of the connection is in the allowed list.

I am not just blowing smoke here, if you can make a list that checks both ends and will allow a connection to go unfiltered if it find one of the ports in the allow list, then you can also just as easily have it check another list to make sure that one of those ports are not in the force filtering list before it will allow the connection to go unfiltered. This will be a major security loophole without this additional option.

I am trying to envision a scenario where even with the more advanced configurations with vista/win7 that my suggestion would not bee needed, but I just can not. This is a large security risk if you have specific ports that must always be filtered.

I am absolutely sure that I am not mistaken about this (at the very least with how xp filtering works) and I am trying as hard as I can to see if somehow I could be mistaken about this. I am sorry if you can not see the necessity, but it is a very large necessity because of the very large security risk that will be created.

I would really like you to understand this security risk, so please answer me how you can allow every port but one, and never have a connection go unfiltered that uses that single port that is not in the allow list. Because as far as I can tell it will more then likely never get filtered because of the likelihood that it will be used with a connection that is also using a port that is in the allow list.



Edited 8 time(s). Last edit at 04/14/2010 05:22PM by BigRedBrent.
Re: Allow all traffic on set ports?
April 14, 2010 04:50PM
avatar
Hmm, we appear to have a disconnect somewhere...  Please forgive my attempt to "dumb down" this explanation, I really just want to make sure we're both on the same page as far as terminology etc. goes.

Ignoring for a moment the XP/2000 issues, let's consider how this feature would work under Vista/7.  We're planning on letting you allow port X for "incoming" (meaning source_ip=nonlocal_ip, source_port=any, dest_ip=local_ip, dest_port=X), "outgoing" (source_ip=local_ip, source_port=any, dest_ip=nonlocal_ip, dest_port=X), or "both".  So the Destination Port is the only one we'll be keying off of, since that's really the only one we care about.

The only security hole I can see here is that, say, your P2P program might be configured to allow traffic to be sent to a Destination Port of 12345, and you have Port 12345 on your "Port Allow List".  This hole will arise whenever you Allow a Port - that's kind of the entire intent behind Port Allow.

Source Ports generally don't matter too much, as they're really not (to my knowledge) indicative of much.  Traffic coming out a particular source-port may or may not mean it's a particular kind of traffic.  When browsing the web, for example, Firefox can use any source-port seemingly at random.  Then again, is this the security hole you're talking about?  For example, if your app (let's call it "AppX" for purposes of this discussion) can be configured to only send traffic out from a certain source-port - but can't limit the destination-ports to which it talks - then it's possible that it may connect to a "bad guy" computer running on port 12345 (continuing the example above)?  ...so your "Force Port Filtering" suggestion would let you Allow Port 12345 Outgoing, but then "Force Filter" outgoing connections with a source_port of 54321?  ...and then you could configure, AppX to only send out connections from source_port 54321?

Believe me, we would like to understand the security risks here, and make sure we can adequately cover them.  The reasons we're a bit leery of implementing a feature like your "Force Port-Filtering" suggestion are that 1) it is likely to be even more confusing to users than the "standard" port-allow feature, 2) the more processing we need to do when filtering network traffic the greater the potential performance-hit due to our filtering, and 3) the more complex a feature ends up being the more bugs are likely to arise from its development.  These concerns can all be at least somewhat mitigated, but they do need to be given some weight.

If I'm still missing the point of this security risk, please let me know!  If you could post a concrete example, in as simple terms as possible, that would be greatly appreciated.  Pretend (?) I'm an idiot, that's fine, because at this point I'm still not quite certain I've fully understood your concern.

Thanks for the lengthy discussion of this feature,

        ---  Mark  ---




Lead developer of PeerBlock
Anonymous User
Re: Allow all traffic on set ports?
April 14, 2010 05:06PM
Quote

MarkSide
Re: Allow all traffic on set ports?
April 14, 2010 04:50PM

For example, if your app (let's call it "AppX" for purposes of this discussion) can be configured to only send traffic out from a certain source-port - but can't limit the destination-ports to which it talks - then it's possible that it may connect to a "bad guy" computer running on port 12345 (continuing the example above)? ...so your "Force Port Filtering" suggestion would let you Allow Port 12345 Outgoing, but then "Force Filter" outgoing connections with a source_port of 54321? ...and then you could configure, AppX to only send out connections from source_port 54321?
  

Yes, this is what I am after, and I am excited that it is actually possible because the application that I want to use it with is capable of limiting both of the local source and destination ports (heard of utorrent anyone). It is a pretty big security hole as far as I am concerned. If I could figure out a better way to plug it I would suggest something else, but I can not.

So you are also telling me that in xp it will be looking at both the source and destination port for filtering, but the destination port will be the only port looked at in vista/win7. It doesn't really matter what port is used however, because the security hole exists with all possible configuration scenarios.


Not as important, but this would also make it simpler for those who only want to filter specific ports, because they could just allow all ports and then turn around and specify the ports that they want to always be filtered. It is not too terribly confusing because many applications have settings that act in this way because it is the simplest way to configure this functionality.

I guess you could just add a force port filtering for outgoing source ports only, so long as it also worked appropriately on xp systems to cover all the bases. But adding all the options to the force port filtering feature would make it simpler for people to understand and configure to the needs of each individual.

I very much hope that this will be implemented, because no way exists for the port allowing feature to be beneficial to me without forced port filtering to go along with it.



Edited 15 time(s). Last edit at 04/14/2010 06:09PM by BigRedBrent.
Re: Allow all traffic on set ports?
April 15, 2010 03:01AM
avatar
> Yes, this is what I am after, and I am excited
> that it is actually possible because the
> application that I want to use it with is capable
> of limiting both of the local source and
> destination ports (heard of utorrent anyone). It
> is a pretty big security hole as far as I am
> concerned. If I could figure out a better way to
> plug it I would suggest something else, but I can
> not.
It's a big security hole opening a port in your firewall as well but it's just convenient and necessary for some programs to function properly.


> Not as important, but this would also make it
> simpler for those who only want to filter specific
> ports, because they could just allow all ports and
> then turn around and specify the ports that they
> want to always be filtered. It is not too terribly
> confusing because many applications have settings
> that act in this way because it is the simplest
> way to configure this functionality.
You can add a range of ports so if you want to filter only port 50000, you can use 0-49999 and 50001-65535. You also get to choose the direction of the allow (i.e. local port using those ranges, destination port using those ranges or both).


> I guess you could just add a force port filtering
> for outgoing source ports only, so long as it also
> worked appropriately on xp systems to cover all
> the bases. But adding all the options to the force
> port filtering feature would make it simpler for
> people to understand and configure to the needs of
> each individual.
Adding all the options won't make it simpler for people to understand because if the developers don't understand it, then users are not likely to either.


> I very much hope that this will be implemented,
> because no way exists for the port allowing
> feature to be beneficial to me without forced port
> filtering to go along with it.
I see no benefit of have a forced port filter. It's just the same as excluding the ports from the allow list.



I may be missing something but basically you want another port list which removes the ports from the allow list if you have added them so that they will be filtered again?
Anonymous User
Re: Allow all traffic on set ports?
April 25, 2010 07:03PM
Hi Wardave

This maybe helpful for you.

Until the specific port block happens in later releases of PB, users of Azureus (Vuze) 4.3.x.x (and maybe earlier but I am not sure about these) can have a port block on any port .... go to Azureus, then Tools, then Options then Transfer then look at: ignore ports with these data ports: in the field you can enter any port as long as they are separated by a semi-colon.
As far as uTorrent goes, I couldn't find that option in there, but I may be wrong, but I did have a good look!

In Azureus, the ports below are the ones I am currently blocking a connection on are: 0;20;21;25;53;60;70;77;80;81;82;83;84;110;113;119;143;194;415;443;465;554;563;631;993;995;1024;1025;1026;1027;1028;1029;1030;1040;1041;1042;1043;1044;1045;1046;1047;1048;1049;1050;1080;1375;1863;2041;3128;5000;5190;5001;5050;5101;5190;5222;5223;5269;6667;6668;7900;8000;8080;8088;8888;11523;16771

Cheers
Qty
Anonymous User
Re: Allow all traffic on set ports?
May 05, 2010 09:49AM
Greetings, all. I've followed this from the Google code forums ( [code.google.com] ) , and wanted to comment on a few things.
1) Technically speaking, you can ignore the source port. Only the destination port is what matters. You should be able to sniff traffic to see the source port is unique and (pseudo-)random, but the destination port is what all firewalls and comms equipment are affecting. In fact, blocking based on source port could have adverse effects if some other app randomly hits that source port.
2) What many on the Google code thread are looking for is to completely allow specific outbound ports, such as port 25 for mail, port 53 for DNS, or port 123 for time. These block lists encompass more and more IPs. Though it's useful to block web or p2p traffic from potentially harmful sites, it is desirable to always allow more harmless protocols like NTP or DNS. Wardave's example is another case, for a netadmin to allow specific known uncommon ports in all cases.

A firewall or home router should do the job of blocking inbound ports, so the main interest is outbound, but it makes sense to plan for both.
Sorry, only registered users may post in this forum.

Click here to login