Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall port range 1

Status
Not open for further replies.
robdon

robdon

Programmer
May 21, 2001
252
ES
Hi,

I have an application running on WinXP, and it uses a certain port (6000) to comunicate on.

So in my firewall I allow access to this port.

However, the application uses another 'random' port to communicate back to the client (I think) and that port seems to be between 1000 - 2000.

I seem to have to allow access to ports 1000-2000 to get the client to connect.

I just wanted to check, how 'bad' is it for me to allow such a hugh port range available.

Thanks,

Rob Donovan.
 
Sort by date Sort by votes
If you're curious about which vulnerabilities/trojans/worms operate in this range, check out the ports database.
or Dshield

I would recommend figuring out which ports your app needs and only allowing those specific ports (you've done this but maybe the program has been updated and now uses a different port?), or searching for a way to make it use a single port. A third solution would be to allow the ports in your firewall, then use a software firewall to block those ports, but allow the program to connect (set the firewall to block all by default, but specifically allow the program).

If this doesn't work, post the name of the program and someone here will probably have a more precise solution.

 
Upvote 0 Downvote
Hi,

Thanks for the tips,

Looks like the software firewall example would fit me best.

Rob D.
 
Upvote 0 Downvote
Can you block 1000-2000 to incoming traffic, but open them to outgoing?





Blue [dragon]

If I wasn't Blue, I would just be a Dragon...
 
Upvote 0 Downvote
It sounds as if your application opens an ephemeral port for the return communications. Ephemeral ports are 1024-65535, but Windows won't choose ports above 5000 generally.

It is better if you can specify the port number on the client to use. If it is dynamic on both ends, then put in a rule from ephemeral ports on the server to ephemeral ports on the clients. If you can limit the client IP range, all the better.

It does increase the vulnerability of the server, and is probably not the best architecture for your application, but it isn't the end of the world. Is there a reason why you are opening 2 sockets for the connection, rather than sticking to a single socket?

Usually, the only reason to open a second socket is to handle some form of streaming data (UDP) with a control link (TCP).


pansophic
 
Upvote 0 Downvote
Hi,

I guess so, but its still a bit 'unsecure'

If I did managed to get infected with a trojen, then it could 'call base' and send back info from my pc through those ports...

Rob D.
 
Upvote 0 Downvote
Every open port is a security risk, so that is not the point.
What you can do is tell the firewall WHO (what IP) is allowed to use that port (if the firewall permits).

Also, some apps do use random port, a UPnp capable Firewall is needed in most cases.
What application is it anyway, that can bring some light to the matter.


Marc
If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
590
XLNTech1
XLNTech1
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
153
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
145
hall5942
hall5942
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
232
hairlessupportmonkey
hairlessupportmonkey
Impersonator
  • Locked
  • Question
UDP Hacking port 53
Replies
1
Views
229
RodneyMcSnow
RodneyMcSnow

Part and Inventory Search

Sponsor

Back
Top