How exactly do comms between ports happen?

my comp (with Online Armor) shows
Firefox
UDP Out 53
TCP Out 80
Svchost
UDP Out 53
UDP Out/In 123

How come Svchost port 123 is Out/In but port 53 is just Out (If this is specific to OA, could you comment on why this is so with OA but not with another FW)?

Like if I start firefox TCP Out 80 for a webpage, where does the reply come back to on my comp? to port 80 In? How come my OA rules don't seem to need a TCP In 80?

-{ Quote: "How exactly do comms between ports happen?

my comp (with Online Armor) shows
Firefox
UDP Out 53
TCP Out 80
Svchost
UDP Out 53
UDP Out/In 123

How come Svchost port 123 is Out/In but port 53 is just Out (If this is specific to OA, could you comment on why this is so with OA but not with another FW)?

Like if I start firefox TCP Out 80 for a webpage, where does the reply come back to on my comp? to port 80 In? How come my OA rules don't seem to need a TCP In 80?" }-

When you connect to a website on port 80, the "80" port is at the website's end. Your computer will select a random local port to act as the endpoint.

Since you authorised the connection, OA does not need to say "Do you want to connect to port 80 on server X, and would you like to receive the response on port X"

Oh, now I get it, thanks.


-{ Quote: "Your computer will select a random local port to act as the endpoint.

" }-

What local ports act as the endpoint? Is there any pattern range to the ports? Is the local connection, for example, related to the 1024-4999 endpoint restriction (to 127.0.0.1) I add when intercepting loopback?

Hi nmaynan,
-{ Quote: "What local ports act as the endpoint? Is there any pattern range to the ports? Is the local connection, for example, related to the 1024-4999 endpoint restriction (to 127.0.0.1) I add when intercepting loopback?" }-Have a look at the sticky thread for common ports used http://www.wilderssecurity.com/showthread.php?t=142036

The local ports used for outbound can vary, but on a typical XP setup, you will see local ports 1024-5000 used, but this does depend on how many outbounds are currently in use (If you use P2P with many many connections, then higher ports than 5000 may be needed.)

When a connection is made from your PC, lets say, you connect to this forum, you will normally see a local port (1024-5000) connected to remote port 80 (HTTP). All data for that connection is made through those ports, but, more than one connection can be made at any time, you may see 1 or 2 or 4 or ? depending on where you connect to. Once the data flow as finished the connection(s) will close.

Typically, a program (browser etc) will start with a seemingly random local port, but will then use the next higher port for the next connection.

Do I have to specify 123 In and 68 In because these are system ports (as opposed to ephemeral ports)? Or does it have to do w/ the nature of the connection?

I manually have firefox connect to internet, yet I don't specify In ports.

If I manually update time though, I get prompted for 123 In.

(is there a book that discusses the basics of port communication etc that you can recommend)?

-{ Quote: "Do I have to specify 123 In and 68 In because these are system ports (as opposed to ephemeral ports)? Or does it have to do w/ the nature of the connection?" }-

This is due to nature of the connection. Port 80 (for browsers) will work over TCP where the stateful inspection is possible, so the incoming is allowed as a reply to outgoing.
Time Service (123) and DHCP (68 ) will work over UDP protocol where SPI is unavailable (OA does not keep state table for UDP) so the incoming rules are needed.

-{ Quote: "(is there a book that discusses the basics of port communication etc that you can recommend)?" }-

I don't know about the book, but stickies on this forum are quite useful. Here's (http://en.wikipedia.org/wiki/Stateful_firewall) a place to start reading on SPI. You can just follow subsequent links, there's a bit of reading on TCP, UDP and all kinds of networking stuff.

Cheers,

-{ Quote: "(OA does not keep state table for UDP) so the incoming rules are needed.

Cheers," }-

Oh. I was goofed up as I was thinking the opposite. I thought OA did have a state table for UDP. I thought I read a confirmation somewhere in these forums, but I can't find it. So I'll assume OA doesn't have state table for UDP.

Thanks Seer!

http://www.wilderssecurity.com/showthread.php?t=191873&page=4&highlight=state+table

-{ Quote: "Hi Phant0m,

I think by your measures, SPI in OA is minimal at the moment... we keep state tables for all connections (I believe including udp/icmp but I would have to check on Monday). Other than that - we don't currently do so.

We do plan some enhancements in this area in the future - particularly I've discussed implementing Snort rules.

Cheers

Mike" }-