IE uses 2 local ports unknown to me

Discussion in 'other firewalls' started by act8192, Feb 19, 2013.

Thread Status:
Not open for further replies.
  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    The players are: Windows XP-SP3, IE-v8, Avast.
    I usually use Opera, but to help a friend I had to use IE. So I allowed it in the firewall and was checking the log to recheck if my old rules still valid. I turned on some logging, see attached.

    In IE the home page was google search page, not my Opera speed dial, so I had to type in the Wilders URL.

    In Opera I have never seen the ports I put red rectangles on - 18821 and 7754. They were not used for DNS.
    I know that 27275 is avast proxy port for some game stuff so the tunnel is properly blocked in this instance, but those two are baffling and are present all the time on every site I tried.

    What was going on? What's IE doing besides it's normal cache where local and remote computer ports are equal?

    IEpacketsLog.jpg
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    reset/reconfigure/disable your local proxy software (whatever including wlan)
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    I need the local proxy because Avast uses it.
    Few internet applications are permitted to go through the proxy, rest are not.
    Few applications, such as IE, Firefox, SeaMonkey, Windows Media Player additionally do need loopback to the local host at all times, but I don't allow WMP out.

    My question was not related to the proxy issue where the browser sends information through the avast proxy (I didn't log that part) and avast handles the connection.
    My question was about the specific local ports IE wanted to use, the ones in red rectangles.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I would suggest you ask this on the Avast forums. Lots of great experts on the product there. I do recall their various shields using different ports.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    That just looks like your browser making normal connections to the machine's loopback address and its own ports. Even though it is remote and local, it's still just your machine's ports.

    Normally I allow those connections by default, but to clarify for you I set the rule to "Ask", and here are some results, similar to yours...
     

    Attached Files:

    Last edited: Feb 20, 2013
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    @wat0114,
    No problem with IE loopback. I understand that. My question is about 18821 and 7754, which are just unusual for me to see since normally IE uses one port - same local and remote on the local host. But I haven't used IE for so long, it's hard to remember how it all went.

    I did catch 18821 in action - it was a flash of SYN_SENT to that port and then it vanished. No close wait, nothing. Gotta be a trojan or something :D Other than that, no flashes for 7754, just what I see in the log.

    ASK is one of the modes I use, and firewall does ask.
    IE-18821.jpg
    Today I just blocked them for IE, no bad effects. Far as I'm concerned, IE can use up to 5000 on my XP both sides.

    @itman,
    Thanks. The thing is that it has nothing to do with avast, as I mentioned in my first post. I suppose I shouldn't have dragged in the entire avast-proxy log items in my screen shot. I did 'cause I thought it might make it clearer when shown the entire sequence of ports use, but obviously not.
    You're correct, avast uses 10 or 11 ports, pain to build rules, but you only do it once in a lifetime :)
     
    Last edited: Feb 20, 2013
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Also on XP, SP3, IE8. I did the same test opening and closing IE several times,and it started at 2103, then incremented each open/close cycle by exactly one, until I stopped at 2128. With Firefox it doesn't do that, instead using a different random numbered port each cycle. Interesting, not sure why the browsers differ that way.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    remote ports are not relevant - the connection from 0.0.0.0 to 127.0.0.1 is relevant - thats a (local) proxy connection.
    depending on lan settings either 0.0.0.0 or 127.0.0.1 are localhost, not both. check C:\Windows\System32\drivers\etc\hosts. i dont have a loopback in internet explorer this way
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This is correct. There should not be a hook to loopback from 0.0.0.0 unless a host file lookup is being initiated.

    In WIN 7, your hosts file should look like this:

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost
     
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    No it's not.
    0.0.0.0 is not a loopback address, it simply means "any address". Outbound packets are sent from "any" (0.0.0.0) local address to avast proxy. "Any" in this case is used if you, for example, have IE configured to communicate on more than one network card (common on servers) which would normally sit on different subnets. The returning packets will then go to 0.0.0.0 address which in routing table is bind to a correct IP address of the subnet IE sits on. You can add and remove entries in routing table at will if so desired. Just use the 'route print' command, hopefully this will make more sense.
    In short, all is well, no need to call for trojans.

    Cheers,
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The Avast proxy address for the web shield used to be 127.0.0.1 TCP port 12080. They might have changed it in later versions
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    @Seer, you're right on the money, far as I understand all that :)
    I haven't really been surprised by zero octet used by IE, since long ago I've seen it in Kerio on another box. Only since this, almost never used, IE puzzle I remembered to include it in the local host group in the Sunbelt firewall.

    What I'm still, since post#1, baffled by is IE hitting 18821 and 7754, an unusual thing.

    @itman, Avast proxy ports are:
    12025,12080,12080,12110,12143,12465,12993,27275. They all gotta be kept on a leash (if you're nuts like me), just for specific applications, so that no other app tries to tunnel out through them. That's all.

    Some firewalls see and report zero octet (Kerio, ZoneAlarm, Sunbelt, maybe Outpost). Some do not.
     
    Last edited: Feb 26, 2013
Loading...
Thread Status:
Not open for further replies.