opening a FW port specific URL

Discussion in 'other firewalls' started by cafescott, Feb 12, 2011.

Thread Status:
Not open for further replies.
  1. cafescott

    cafescott Registered Member

    Joined:
    Dec 23, 2009
    Posts:
    15
    hi, i hope this isn't too dumb of a question. however, can most firewalls be configured so that they will open up a port only for a specific URL?

    let's say a company only wants to be able to connect to windows update through a specific port while nothing else goes through. so, you need an inbound rule that says only this IP gets in, and an outbound rule that says only the receiving PC uses the port.

    thanks.
     
  2. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    For specific URL that can be a problem but for specific IP address not. It will be possible for example in rule based on firewall like e.g. LNS.
     
  3. cafescott

    cafescott Registered Member

    Joined:
    Dec 23, 2009
    Posts:
    15
    thanks, Creer. Microsoft's IP address is 207.46.197.32. so, we should be able to set inbound and outbound rules on our firewall to allow a single PC to connect to this IP in order to download security updates.

    is this technique called 'port forwarding'? If not, what term describes it?

    thanks!
     
  4. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Port forwarding is useful when your computer is act as server.

    OK I will show you this on rule example of my software firewall (Look'n'Stop):
    This is specific rule for WU (with IP you provided) - matched also for Local IP and MAC address of your computer.

    wu_lns_rule.png

    This rule allows for connection out/in to remote machine under IP address: 207.46.197.32 and to remote ports 80 or 443 (used by WU).
     
    Last edited: Feb 13, 2011
  5. wat0114

    wat0114 Guest

    Hi cafescott,

    unfortunately, you will need more than that and a bit different setup. You only need an outbound rule (no inbound needed because you are not running a server), and then you are going to require more than one remote ip address, because Microsoft has numerous update servers, so limiting the firewall to one ip address will not work. You should also set remote TCP ports to: 80 & 443.

    Simply navigating to that site-> Security updates triggered the following remote ip addresses to be logged on my machine:

    65.55.27.0/24
    66.150.117.0/24
    207.46.206.0/24
    65.242.27.0/24

    The /24 represents a CIDR mask, in these cases meaning the last octet could be anywhere from .1 -> .254

    What is CIDR (Classles Domain inter routing)?:

    -http://infocenter.guardiandigital.com/manuals/IDDS/node9.html

    No, it's not port forwarding. Here is an explanation:

    -http://portforward.com/help/portforwarding.htm

    Finally, as an example, here is my Windows Update rule for svchost (service wuaserv.exe) using Windowas 7:

    Code:
    Rule Name:                            Custom Rule - Allow svchost - wuauserv  to Port 80 & 443 - Service: wuauserv
    ----------------------------------------------------------------------
    Enabled:                              Yes
    Direction:                            Out
    Profiles:                             Public
    Grouping:                             
    LocalIP:                              Any
    RemoteIP:                             65.54.51.0/24,65.54.95.0/24,65.55.0.0/16,206.108.207.0/24,207.46.0.0/16
    Protocol:                             TCP
    LocalPort:                            Any
    RemotePort:                           80,443
    Edge traversal:                       No
    Action:                               Allow
    You'd most likely require different ip address/CIDR masks assuming you are in a different geographical region. I'm assuming you want to create this rule in a hardware appliance firewall? If so, it will no doubt be somewhat different than mine.
    I forgot to mention this not actually "opening" a port, either. Your inbound range of ports governed by the firewall rule will only allow solicited inbound traffic only after initiated by an outbound connection from a selected program or service.
     
    Last edited by a moderator: Feb 13, 2011
  6. cafescott

    cafescott Registered Member

    Joined:
    Dec 23, 2009
    Posts:
    15
    wat0114 and Creer, thanks so much. your information is tremendously useful.

    cheers.
     
Loading...
Thread Status:
Not open for further replies.