One of the things you have to deal with when operating a network firewall is to allow only the traffic inbound and outbound that you want. That’s the entire point of having a firewall — to control (and perhaps log and report on) traffic moving into and out of your network. In order to do that, you need to understand some characteristics of that traffic.
Web traffic is easy. If you want to allow outbound Web traffic, you configure your firewall to allow TCP ports 80 and 443 outbound (80 is typically used for unencrypted traffic, while 443 is usually used for encrypted, or SSL protected traffic). If you want to allow Internet users access to your Web servers, you allow TCP ports 80 and 443 inbound to the IP address of your Web server.
There are other “simple” protocols that require only a single port inbound or outbound. For example, SMTP mail traffic uses only TCP port 25. If you want to send mail out, allow TCP port 25 outbound. If you want to accept incoming SMTP mail to your mail server, allow inbound TCP port 25.
But not all protocols are that simple, and that’s when the issue of “opening a port” comes into play. For example, consider FTP. In order to make the outbound connection to the FTP server, you need to allow outbound TCP port 21. However, in order to receive data, the FTP server will need to open a new connection inbound on a port negotiated between the FTP client (or firewall) and the FTP server.
So, in this example, what port do you open? What does it mean to “open a port”? In reality, it means nothing, because the term “open a port” implies that a port is bidirectional, which is it not. When you “open a port”, you allow inbound or outbound connections, so there’s directionality. Also, do you open it to all hosts, or just to a particular host? What about source IP address? Does the inbound or outbound port require that there be a specific source IP address?
The next time someone tells you to “open a port”, ask them:
1. Open it in what direction? Inbound or outbound?
2. Open it to a specific host (IP address) or all IP addresses?
3. Is there a specific source port that should be allowed?
By asking these questions, you’ll have a more secure firewall configuration and you won’t inadvertently allow traffic into or out of your network that could cause you to be compromised.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP – Microsoft Firewalls (ISA)