Ports for Windows Update & Internet Explorer??

Hello all,

Please excuse my ignorance of networking/security. These questions are probably pretty basic, but the only way to learn is to ask, right?
I have thoroughly Google'd the web and can't find any relevent answers to my questions.

I'm using a port filter (NOT LnS) on my webserver. I have all incoming connections on all ports except for ports 80 and 443 blocked.

My problem is is that I can't use Internet explorer from the server to connect to a remote website. Using a port monitor tool, I was able to figure out that Internet Explorer (when connecting to a webserver) attempts to open several local ports (usually in the range of about 1300-1600)...I am assuming then, that you must have a local port(s) open to recieve the data that is being transmitted from the port 80 of the remote webserver. However, I don't know which ports to open as the port numbers that Internet Explorer chooses appear to be somewhat random. Can someone please explain this to me?

In addition, I have the webserver configured for to automatically download and install critical updates. I am assuming it probably does this via HTTP, and that the above situation will also prevent my server from downloading automatic updates, correct?

Any info would be most appreciated!

 

"port filter" "port monitor tool"

From your other comments it would appear whatever you are using is not allowing proper two way communication.

Any particular reason you do not want to run a firewall (hardware or software) to protect your server?

When you initiate a request to a web site (outbound to remote service/port 80/http) your system will use dynamically assigned ports in the ephemeral range (local service/ports 1024-5000) for it's side of the communication. (IE will also use UDP loopback which could also be part of what you are seeing)

Example TCP rules for inbound to web server and the usual outbound for browsing are in the attached image.

Regards,

CrazyM

 

Yes...there is reason I don't have a firewall.

I lease a dedicated server from Affinity. My only way of managing the server is via Remote Desktop. Every firewall that I have tried to install on the server has began blocking incoming connections on 3389 (the remote desktop port) immediately after installation (locking me out of the server, unable to change the configuration of the firewall to let myself back in).

Affinity provides no managed firewall service. They do have some basic services (such as automatic disconnection at the switch when a Denial of Service attack is detected) but not much.

So, the only thing that I could find that I could install without getting locked out of my server was CHX-I Port Filter. Besides, it pretty much does exactly what I want it to do; it blocks all incoming ports besides 80 and 443, which is, for the most part, what I wanted to do.

I appreciate your advice. I think what I need to do is instead of ALLOWING incoming connections on only 80 and 443 (and blocking everything else), I simply need to explicitley DIS-ALLOW incoming connections on those ports which have running services that I wouldn't want an Internet user connecting to, and ALLOW all other ports... this would leave plenty of "dynamic" ports available for Internet Explorer.

Sould reasonable?

 

Hi Tim

CXH-I is a good stateful packet filter, but works a little differently.

With CXH-I inbound and outbound packets are dealt with separately in the policy/rules. This is likely why you are seeing those blocked packets when trying to surf, as your rules do not allow for those inbound return packets, just the outbound request to remote service/port 80/http.

With your rules you could try the following:

First rule to create is a Deny TCP Connections (deny inbound TCP with the Syn flag set).

Then create Force Allow rules for your server (allow inbound TCP to local service/ports 80/443)

You would then have your other specific allow outbound rules for the common remote services you want to access (ie. outbound TCP to remote service 80 for browsing)

In order for these outbound requests for commons remote services to work, you will need to create a rule allowing inbound TCP to local service/ports 1024-5000.

You would also need your other rules for DNS and ICMP, but hopefully the above will address the problem you are experiencing.

Regards,

CrazyM