flat assembler
Message board for the users of flat assembler.

Index > Heap > Internet port blocking

Author
Thread Post new topic Reply to topic
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Hello,

If I wanted to block almost every single service/protocol/port there is, what would be the very minimum I should allow to be able to use a web browser normally?

Thanks in advance.
Post 13 May 2008, 12:59
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
the minimum for modern web browsing are IEEE 802.3 frames
Post 13 May 2008, 13:34
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17254
Location: In your JS exploiting you and your system
revolution
Most websites use port 80 (HTTP) and 20/21 (FTP). Although you could mostly get by with just allowing port 80 on outgoing requests.

You can block every incoming port if you like, a web browser never needs a listening port.
Post 13 May 2008, 13:52
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
what are you blocking excatly? How do you do it? Router? API?
You just need to send/recive any frames, they can even be ethernet if you write tunnel and setup router to translate it over ip and send to internet.

Quote:
a web browser never needs a listening port

dont forget web brobser can be also ftp client... (or server Twisted Evil )
Post 13 May 2008, 15:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17254
Location: In your JS exploiting you and your system
revolution
asmrox wrote:
dont forget web brobser can be also ftp client... (or server Twisted Evil )
Passive FTP solved this problem many years ago.
Post 13 May 2008, 15:49
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Interesting question, depends how you define normally.

Maybe just one TCP port, a proxy server port (8080).

Find a good proxy, (usually port 8080), use it's IP address instead of domain name and hope it stays fixed, then you'll be able to ditch DNS port 53 and close UDP.

Your operating system may have some of it's own requirements too.
Post 13 May 2008, 16:28
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
Quote:
Most websites use port 80 (HTTP) and 20/21 (FTP). Although you could mostly get by with just allowing port 80 on outgoing requests.

noob question:

what are the ports?
is there any relationship with I/O ports????
Post 13 May 2008, 22:35
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17254
Location: In your JS exploiting you and your system
revolution
edfed wrote:
Quote:
Most websites use port 80 (HTTP) and 20/21 (FTP). Although you could mostly get by with just allowing port 80 on outgoing requests.

noob question:

what are the ports?
is there any relationship with I/O ports????
These are TCP ports, check out my website to learn about TCP protocol.
Post 14 May 2008, 03:04
View user's profile Send private message Visit poster's website Reply with quote
mattst88



Joined: 12 May 2006
Posts: 260
Location: South Carolina
mattst88
revolution wrote:
edfed wrote:
Quote:
Most websites use port 80 (HTTP) and 20/21 (FTP). Although you could mostly get by with just allowing port 80 on outgoing requests.

noob question:

what are the ports?
is there any relationship with I/O ports????
These are TCP ports, check out my website to learn about TCP protocol.


* mattst88 gives revolution a high five

_________________
My x86 Instruction Reference -- includes SSE, SSE2, SSE3, SSSE3, SSE4 instructions.
Assembly Programmer's Journal
Post 14 May 2008, 04:50
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
I've been messing with the Local Security Settings console (on W2K) and I had trouble allowing HTTP traffic and blocking all the rest.
I first thought it was only about HTTP/80. After reading Alphonso's post I realised I forgot about DNS/53. And I expected it to work! (I also forgot HTTPS/443).
Now it works fine. Thank you all for the help.


revolution wrote:

Although you could mostly get by with just allowing port 80 on outgoing requests.
You can block every incoming port if you like, a web browser never needs a listening port.

How so? If I only allow port 80 on egress and block everything else on egress AND ingress (any other TCP), how would I be able to get any reply from the remote web server? Could you explain more?
Post 14 May 2008, 11:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17254
Location: In your JS exploiting you and your system
revolution
ManOfSteel wrote:
revolution wrote:

Although you could mostly get by with just allowing port 80 on outgoing requests.
You can block every incoming port if you like, a web browser never needs a listening port.

How so? If I only allow port 80 on egress and block everything else on egress AND ingress (any other TCP), how would I be able to get any reply from the remote web server? Could you explain more?
You only need to block the incoming listening ports. Firewalls still allow incoming traffic that has the connection initiated by a previous outgoing request. Only unsolicited packets are dropped due to the lack of any associated outgoing connection.
Post 14 May 2008, 12:25
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
revolution wrote:

You only need to block the incoming listening ports.
[...]
Only unsolicited packets are dropped due to the lack of any associated outgoing connection.

What about spyware and other "information collectors"? A firewall would generally warn the user about them and ask for his intervention, but the Local Security Settings console won't AFAIK.

revolution wrote:
Firewalls still allow incoming traffic that has the connection initiated by a previous outgoing request.

Ok, that's for a firewall, because in effect it's allowing a temporary bidirectional communication just for the current connection. But the Local Security Settings console is not really a firewall, so I'm not sure about that behavior.
Post 14 May 2008, 19:55
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.