Importance of setting correct local ports

Discussion in 'LnS English Forum' started by RyanM, Mar 13, 2007.

Thread Status:
Not open for further replies.
  1. RyanM

    RyanM Registered Member

    Joined:
    Jun 8, 2006
    Posts:
    23
    Hi everyone.
    Lately I've been doing some reading up on firewall filtering rules and how to create/modify them. I am using Phant0m's rule set I won't pull my hair out trying to figure out what his rules actually do. My question refers to the more basic rules like creating a filtering rule that allows/disallows a connection to (or from) a remote location.

    I've imported some of the rules from the LnS Web site and some I've created myself. However, there is one area of the rule creation process that I don't quite understand: the "TCP/UDP: port" area for the Local Port. In most of Phant0m's rules, any rule that involves a local IP address (Equals my @), the "TCP/UDP: port" for the Local side is in a range of 49152 to 65535, while some of the rules from the LnS Web site (and also from the help file in the LnS program), the "TCP/UDP: port" range is from 1024 to 5000 for Local ports. And then there are some rules that don't have anything specific selected in the "TCP/UDP: port" area (i.e. TCP/UDP: port = All).

    Is there a trick in knowing what the proper Local Port range should be? And does it really matter whether there is a need for a range at all?

    I hope I've explained myself well enough. Any help is appreciated!

    Ryan
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi RyanM :)

    For the most common internet programs like browser, emailer and so on the range of the local ports are 1024 to 5000. (all port greater than the "well known" ports (1 to 1023) or > 1023 up to the port 5000)

    This range is the default range default for Windows xp and it is set in this registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

    MaxUserPort

    Default value= 5000

    This setup works for almost every applications and you don't have to change it except for some special application like The Onion Router (Tor) which require a greater local port range for the server part of the application.

    So, a general rule for all common internet programs looks like this:

    Protocol: TCP
    packets : in and out
    address: From my @IP (the local IP address of your PC)
    local ports : between 1024 to 5000
    addresses: all (none specified)
    remote ports: all (none specified)
    Applications: all (no specific program needed to activate this rules)

    You may also create some specific rules for an emailer for example:

    Protocol: TCP
    packets : in and out
    address: From my @IP (the local IP address of your PC)
    local ports : between 1024 to 5000
    remote ports: equal or 25, 110
    Applications: Thunderbird, Outlook

    This is a specific rule enabled when these programs connect to internet...

    However, with a general rule like the first shows in my example there is no need for specific rules like the second example...

    With these exceptions
    : Specific rules are needed when the program:

    - used TCP and UDP : like eDonkeys KAD rule: port 4672 local and remote in TCP and UDP ...

    - used UDP only Like Skype using the local prt 21047 in UDP...

    - used some specific local ports: Messenger "Voice" with the 6901 local port

    - needs a remote connection on local port(s) like server or the server part of a p2p program like any p2p program (eMule, Bittorrent, etc.)

    I hope all these things are more clear for you now.
    Let us know.

    :)
     
  3. RyanM

    RyanM Registered Member

    Joined:
    Jun 8, 2006
    Posts:
    23
    Thanks for your quick reply :D

    Okay. I now understand (a little more) about the default port ranges. So from now on, when I create a specific rule, I'll make sure to note the proper range of 1024-5000 for the Local Port side. This brings up another question though:

    In another post, someone had written this:

    "...I have a quick question about rules that pertain to the direction set to "inbound and outbound". Normally I make a set of inbound only and/or outbound only per application when needed but, when the rules states the direction is "inbound and outbound" which side is for local ports and which side is for remote ports."

    You replied:

    "Left side : local addresses and ports (from @IP = your local IP address)
    Right side: remote addresses and ports"

    This seems reasonable, but here's something from the LnS help file:

    "...if you want to Allow or block Outgoing Events to the HTTP server you'd enter the Remote[Destination] Port onto the right hand “TCP/UDP: port” field with Local[Source] Port onto the left hand “TCP/UDP: port” field ... but if you want to Allow or block Inbound Events from the HTTP server you'd enter the Remote[Destination] Port onto the left “TCP/UDP: port” field with Local[Source] Port onto the right hand “TCP/UDP: port” field..."

    Of course, the above quote is for blocking http traffic only, but it could be used to block any sort of connections...

    What do you make of that quote? Would it be possible to block Inbound connections using your method, or just the Outbound connections? It would seem that to block Inbound connections using the "Inbounds & Outbounds" option, you would need to put the local ports on the RIGHT side and the remote ports on the LEFT side. This is confusing!

    Ryan
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Under Vista, the local port (selected by Windows for client connections) is no longer 1024-5000 but 49152-65535.
    With the 2.06 version of Look 'n' Stop, there is now a new criteria for the port to have it in "Local Range" (whatever the version of windows you are using). Depending on the version of Windows, Look 'n' Stop automatically select the right range.

    Also when using the Internet connection Sharing with Windows XP-SP2, the range 49152-65535 is used for the client connections.

    Frederic
     
  5. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Frédéric :)


    Thank you for this valuable information.

    One remark. The new option "dans local" (in LNS Fr. version) give automatically the default W xp range which is correct for the vast majority of users. However this new option is "built-in" for the default range and not based on the value of the registry key "MaxUserPort".

    (I don't ask you to change this...). Is it possible to make a notice about this in the LNS documentation for the final 2.06 version?

    :)
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Cliemenole,
    The problem is MaxUserPort is not present systematically, so a default in Look 'n' Stop was anyway needed. And also it gives only one limit.
    But I agree, at least when MaxUserPort is there, Look 'n' Stop could use it.
    Yes, of course, it has to be included.

    Another information, for experts (this one won't be in the documentation ;) ): it is possible to change the default local range in Look 'n' Stop registry by changing: LocalPortStart & LocalPortEnd.

    Frederic
     
  7. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Frédéric :)

    Thank you !

    :)
     
Thread Status:
Not open for further replies.