Windows 7 2 way FW Ephemeral Ports

Escalader · #1 June 23rd, 2010, 03:18 PM

Quote:

Ephemeral Ports - Temp Range
When initiating outbound requests for common remote services (ie. HTTP for web browsing), your system will use ports some refer to as "ephemeral ports" or the "temp range" for the local portion of these connections. The ephemeral ports or temp range is 1024-5000. These would be the standard ports used locally for most connections to remote services . Thus your custom rule would allow local service/port 1024-5000. Most firewalls default your rules to any local service/port. Restricting the rule to the ephemeral ports or temp range (the standard used by most services) for local service/port is just a means of tightening up your rule(s). It also would alert you to something using non-standard services/ports.

This would apply for all rules using common remote services such as HTTP, POP3, SMTP, NNTP, etc.

This is drawn from Crazy.. in the excellent stickies at the top of this forum.

My question is are these ports the same in Windows 7 FW 2 way ?

If not what are the new values

Cudni · #2 June 23rd, 2010, 03:34 PM

Yes, they will be the same.

see for correct answer below

Seer · #3 June 23rd, 2010, 04:30 PM

Actually, no. The default ephemeral range has been changed in Vista, see here.

Quote:

You can view the dynamic port range on a computer that is running Windows Vista or Windows Server 2008 computer by using the following netsh commands:

netsh int ipv4 show dynamicport tcp
netsh int ipv4 show dynamicport udp
netsh int ipv6 show dynamicport tcp
netsh int ipv6 show dynamicport udp

Try this on W7, I bet it's the same as Vista.

weeNym · #4 June 24th, 2010, 12:28 AM

Quote:

Originally Posted by Escalader

My question is are these ports the same in Windows 7 FW 2 way ?

If not what are the new values

As the link in Seer's post mentions "The new default start port is 49152, and the default end port is 65535."
Does the Windows 7 firewall allow for entering port ranges?
Vista only appears to permit specifying a port or list of ports. A list from 49152 to 65535 would be a little cumbersome

weeNym

Escalader · #5 June 24th, 2010, 09:46 AM

Quote:

Originally Posted by weeNym

As the link in Seer's post mentions "The new default start port is 49152, and the default end port is 65535."
Does the Windows 7 firewall allow for entering port ranges?
Vista only appears to permit specifying a port or list of ports. A list from 49152 to 65535 would be a little cumbersome

weeNym

I'll check this one out.

BTW, some 3rd party FW's do not allow users to put in a condition for local ports so we should use this security feature as one of our selection criteria for these products.

The question to put to vendors is do you default to the windows x Ephemeral Ports or allow any port(s)?

Seer · #6 June 24th, 2010, 03:07 PM

Quote:

Originally Posted by weeNym

Does the Windows 7 firewall allow for entering port ranges?

What do you mean? This screenshot is from W7 (sorry for the "ugliness", it is a VM) and the example (I pointed out) clearly states that ranges are supported -

Name: 240610.png
Views: 797
Size: 10.4 KB

Name: 240610.png
Views: 797
Size: 10.4 KB

Escalader · #7 June 24th, 2010, 05:30 PM

Quote:

Originally Posted by Seer

What do you mean? This screenshot is from W7 (sorry for the "ugliness", it is a VM) and the example (I pointed out) clearly states that ranges are supported -

Attachment 219256

Nick:

Thanks for that VM!

Could you post a filled in one for IE or FF etc showing us what we need ephemeral wise?

The tightening up on browsers is NB for FW's at least for me!

If you are too busy don't worry about it just for me.

0strodamus · #8 June 24th, 2010, 08:54 PM

Quote:

Originally Posted by weeNym

As the link in Seer's post mentions "The new default start port is 49152, and the default end port is 65535."
Does the Windows 7 firewall allow for entering port ranges?
Vista only appears to permit specifying a port or list of ports. A list from 49152 to 65535 would be a little cumbersome

weeNym

Thanks for posting the port range!

weeNym · #9 June 25th, 2010, 01:46 AM

Quote:

Originally Posted by Seer

What do you mean?

Not having Windows 7 I was simply asking if the Windows 7 firewall permits entering port ranges in the ports and protocols properties. ie. you wanted to enter the ephemeral port range in the local port for outbound rule.

With Vista, you can only enter a port or list of ports. I doubt you would want to try and enter the ephemeral port range as a list.
Name: VistaFW_ports.jpg
Views: 725
Size: 58.6 KB

Name: VistaFW_ports.jpg
Views: 725
Size: 58.6 KB

Quote:

Originally Posted by Seer

This screenshot is from W7 (sorry for the "ugliness", it is a VM) and the example (I pointed out) clearly states that ranges are supported -

Your screenshot answers my question and indicates Windows 7 firewall will allow entering port ranges.

weeNym

weeNym · #10 June 25th, 2010, 02:02 AM

Quote:

Originally Posted by Escalader

Could you post a filled in one for IE or FF etc showing us what we need ephemeral wise

While I cannot do it with Vista, it would look like this:
Name: W7FW_ephemeral.jpg
Views: 727
Size: 61.0 KB

weeNym

Seer · #11 June 25th, 2010, 02:55 AM

Quote:

Originally Posted by weeNym

With Vista, you can only enter a port or list of ports. I doubt you would want to try and enter the ephemeral port range as a list.

Oh, I see. I was not aware of that.
After a little research on MS Technet, it turns out that Vista firewall will not filter port ranges even with netsh command parameters -

Quote:

Port ranges are supported only on computers that are running Windows 7 or Windows Server 2008 R2.

Quote from here.

Oh well.

Cheers,

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search