opening a FW port specific URL

hi, i hope this isn't too dumb of a question. however, can most firewalls be configured so that they will open up a port only for a specific URL?

let's say a company only wants to be able to connect to windows update through a specific port while nothing else goes through. so, you need an inbound rule that says only this IP gets in, and an outbound rule that says only the receiving PC uses the port.

thanks.

 

For specific URL that can be a problem but for specific IP address not. It will be possible for example in rule based on firewall like e.g. LNS.

 

thanks, Creer. Microsoft's IP address is 207.46.197.32. so, we should be able to set inbound and outbound rules on our firewall to allow a single PC to connect to this IP in order to download security updates.

is this technique called 'port forwarding'? If not, what term describes it?

thanks!

 

Port forwarding is useful when your computer is act as server.

OK I will show you this on rule example of my software firewall (Look'n'Stop):
This is specific rule for WU (with IP you provided) - matched also for Local IP and MAC address of your computer.



This rule allows for connection out/in to remote machine under IP address: 207.46.197.32 and to remote ports 80 or 443 (used by WU).

 

Hi cafescott,

unfortunately, you will need more than that and a bit different setup. You only need an outbound rule (no inbound needed because you are not running a server), and then you are going to require more than one remote ip address, because Microsoft has numerous update servers, so limiting the firewall to one ip address will not work. You should also set remote TCP ports to: 80 & 443.

Simply navigating to that site-> Security updates triggered the following remote ip addresses to be logged on my machine:

65.55.27.0/24
66.150.117.0/24
207.46.206.0/24
65.242.27.0/24

The /24 represents a CIDR mask, in these cases meaning the last octet could be anywhere from .1 -> .254

What is CIDR (Classles Domain inter routing)?:

-http://infocenter.guardiandigital.com/manuals/IDDS/node9.html

No, it's not port forwarding. Here is an explanation:

-http://portforward.com/help/portforwarding.htm

Finally, as an example, here is my Windows Update rule for svchost (service wuaserv.exe) using Windowas 7:

Code:

Rule Name:                            Custom Rule - Allow svchost - wuauserv  to Port 80 & 443 - Service: wuauserv
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            Out
Profiles:                             Public
Grouping:                             
LocalIP:                              Any
RemoteIP:                             65.54.51.0/24,65.54.95.0/24,65.55.0.0/16,206.108.207.0/24,207.46.0.0/16
Protocol:                             TCP
LocalPort:                            Any
RemotePort:                           80,443
Edge traversal:                       No
Action:                               Allow

You'd most likely require different ip address/CIDR masks assuming you are in a different geographical region. I'm assuming you want to create this rule in a hardware appliance firewall? If so, it will no doubt be somewhat different than mine.
I forgot to mention this not actually "opening" a port, either. Your inbound range of ports governed by the firewall rule will only allow solicited inbound traffic only after initiated by an outbound connection from a selected program or service.

 

wat0114 and Creer, thanks so much. your information is tremendously useful.

cheers.