RE: Router, NAT, Firewall discussion

One point I would make concerns ports. It is a common misconception that because a port is assigned to a particular service that this is the only port used when communicating between a server and client. In fact the port assignment refers to THE SERVICE. The client will use a different port (usually in the unassigned range above 1024).

If you close incoming port 80 you will not prevent users inside your firewall from browsing the internet.

If a local user at 10.0.0.5 wishes to connect a web server at 21.21.21.21 it will send packets addressed to 21.21.21.21:80. However, the port the local users system will listen for a reply on will be in the range above 1024. Shall we say 2000 for example. Therefore the sent port address will be 10.0.0.5:2000

The server will have a service listening on port 80. It will receive the packet, process it, and reply by sending a packet to 10.0.0.5:2000 from 21.21.21.21:80.

Therefore as the reply is sent to the clients port address it will be unaffected by a block on the clients listening port 80.

One advantage of this system is that a second session from the client would use a different client side port address to the first. Thereby the two streams of traffic can be kept seperate.

For example if the user on 10.0.0.5 to open two browser windows and point them both at www.windowsbbs.com the browser sessions wouldn't get confused because different client side ports would be used. For example one set of traffic may be between:

10.0.0.5:2000 and www.windowsbbs.com:80

The other set of traffic may be between

10.0.0.5:3245 and www.windowsbbs.com:80

The different sets of client side ports allows the communication to be uniquely identified at the transport layer.

 

Thanks - I have added your comments and an earlier set by TonyT where he pointed out some goofs I'd made to the thread.

Sorry TonyT - I had intended to do it when you posted http://www.windowsbbs.com/showthread.php?t=27580&highlight=port but somehow never got it done.