Winsock Local port issue and network security question.

[tedsmith]

In one of my situations that has been working without a hitch for a few years I am doing the following sequence in connecting and disconnecting to a 70 different server type devices in turn in one 30 second interval. This runs 24/7.
My client app has three winsocks that cover all 72 servers connecting in rotation so I can have a slight delay between connecting, sending and closing so the server devices can fully connect before I send each one it's data then close it. 123 234 345 456 etc. Some servers are LAN to serial adapters that need a 100ms delay between connecting and sending data to work and some are PCs.
Lots of other things are happening in the client and server so I can use delays or wait loops or doevents.

Sequence at 300ms intervals say using an IP 100.100.100.100 and Server Local port 3000:-

1. Set Client local port to 1000
2. Connect to server 100.100.100.100, 3000
3. Send Data. (works fine)
4. Close connection

5. 1 second later repeat the 4 above steps
6. I get a hang followed by error message "Address in use".(Only if I redo step 1)

7. If I wait about 60 seconds I can reconnect using the first 3 steps

However if I never re-set the client local port to anything at all, the winsock reconnect works without delay but the Client local port naturally keeps increasing each time to probably 64k then eventually goes back to the beginning and so on.

This has not been any problem up to now but the network administrators want me to restrict each connection to one fixed local port in both directions for network security purposes. Previously their firewall appears to have been one way only and all ports back to the clients were opened but now they are looking at restricting these as well.

A. Can anybody shed light on if this security situation is valid ? Are they correct in what they say in it being a security risk ?
B. Is there a way to change the winsock settings so the Client local port can reconnect instantly using the same local client port ?
C. Or should I be using a different method altogether ?

 

[strongm]

You shouldn't need to set the client local port, only the remote port, so set it to 0. Unless, of course, you have invented your own protocol.

>A. Can anybody shed light on if this security situation is valid ? Are they correct in what they say in it being a security risk ?

In many enterprises, it is generally considered best practice to run a firewall with pretty much everything blocked and to only open up ports (in either direction) that are then approved through whatever approval and authentication process the enterprise has.
And to be fair, Ted, several of us here have expressed surprise on several occasions over the years about the odd 'security' your systems have been run under; this just seems to be them beginning to do things on a more sound basis.

>B. Is there a way to change the winsock settings so the Client local port can reconnect instantly using the same local client port ?

Well, by going against all best practice for winsock, yes. You'd need to revert to the winsock API (the Winsock control does not directly allow this) , and use the setsockopt API call with SO_REUSEADDR as the parameter. But I don't advise it. Nor do Microsoft (who essentially say 'you are on you own if you do this; we take no responsibility for what might happen'). And you shouldn't actually need to. See my answer to point A

>C. Or should I be using a different method altogether ?

Yes. Don't worry about the client local port.

 

[tedsmith]

Thanks
Sorry but it is not my fault that these network administrators have been running a lax security system. As they are a branch of our State Government I just follow orders assuming they know what they are doing! I have had the system working in various forms since 1987, starting with a DOS version then all the various versions of Windows since.

Can you please clarify two points you make?
>Yes. Don't worry about the client local port
In the event they do change rules and only allow one port in either direction, if I don't worry about the local client port will it still work?

> so set it to 0
Do I reset it to 0 every time I connect or just initially?
1. I originally tried this but I seem to remember it still used a different local port every time it reconnected (I might be wrong)

2. what port can I tell them to allow in the Server to Client direction?

Remember I am not using the method of trying to connecting on a different common port then the server assigning the eventual working Server input port for every transmission. Each client is allocated a fixed server local port that it must always use.

 

[strongm]

>Sorry but it is not my fault

Indeed. Just pointing out that the security they used to use was poor, and so these changes are not all that surprising.

> if I don't worry about the local client port will it still work?

The point is that the client should be using it's REMOTE port to talk to the server's LOCAL port(s)
You should not need to worry about the client's local port at all. Indeed, most advice is to leave this set to 0, and let winsock do the work of assigning a random working local port when the connection is established.

> it still used a different local port every time it reconnected
Yep, as designed. And should not matter.

>what port can I tell them to allow in the Server to Client direction?
Unless you are doing something odd, the port they should allow is the server's Local port