If you're still concerned and simply not convinced by either of the provided answers for your question you could do attempt the following. ![]() ![]() What you've identified isn't usually considered an issue (for HTTP) with modern operating systems as their respective network stacks will know which packets are related to which packets. In order for a user-land application to bind (use) one of these ports additional privileges are required by the application (such as running with administrative privileges, or using a particular capability in Linux, see this.). Most operating systems consider ports below 1024 (0-1023) privileged. The second reason mentioned above is about security. Using multiple connections to download content is one way to help overcome this limitation as is HTTP-pipelining. You see, there are a number of limitations in how HTTP works as a protocol such as a single requests at a time. If you were to enforce your operating system (and client software) to use only port 443 you'd significantly reduce the opportunity for the OS and browser to use network parallelism, something that is utilised to increase the speed of page-loading. There are several reasons, allow me to highlight a few that may help you in understanding why this isn't necessarily a problem. Why is my operating system using these high-numbered ports instead of 443 you may ask? These are dynamically allocated by the network stack in your operating system. It has already been explained that what you see are the so called ephemeral ports. Should you however want to understand why the configuration is not all that great, by all means, continue to read. If you fully understand the consequences of your question and all that it entails I suspect my answer may not be one that you seek. Note: While you ask for a solution I will provide you with some background as to why you may not want to do what you're attempting. Let me try and explain this as plainly as possible, without necessarily sacrificing clarity and correctness. There are generally no stupid questions and this is a fairly legitimate question to ask, so no need to apologise. To allow HTTPS on a basic packet filter firewall? This seems like a stupid question, but how do I set up a firewall rule While also blocking all inbound packets, and still having the ones that matter - the responses to your requests - arriving normally. That's why, counter-intuitively, you use outbound rules to protect the client, even though you're worried about incoming packets. Ex.: client sends a packet to server (src: 55680, dest: 443), client firewall accepts (outbound ok, dstn ok), packet is sent the response comes to the same 55680 port, but the firewall lets it through - rule to block inbound does not apply here, since it's a response to a request that initiated in the client machine. Note: also explained in that other question, a stateful firewall will allow a machine that received a request to send a response to the same ip/port regardless of the outbound settings, and vice versa, that's why your config does not need to worry about ephemeral ports. So your client firewall should have: dest ip (any ) If your concern is with protecting the client, then you should restrict the destination port (and, even better, the ip as well) to 443 and disallow inbound connections (assuming your client is not expecting them). ![]() The outbound and dest rules will limit what requests from your server to somewhere else will be available, so set them according to your needs. Do this if your concern is with protecting the server. To disallow anyone from trying to connect to it through a port other than 443 ( warning: you should enable the SSH/etc port too, or you'll be locked out of your server). From the answers I got, I may say that your server firewall should have: src ip (any) I know very little about firewalls, and some time ago asked this question on SF to address an elementary doubt of mine. these rules are for the packet filter built into my routerĪre you setting up this firewall on your server or your client? Your rules (outbound only, destination restricted) suggest client settings, but you question and comment suggest server settings.How should I set up the rule to allow loading https websites? (is it not working because of the order in which the rules are read by the firewall?).The outbound traffic seems OK, but I am dropping packets like this (This example is loading a twitter page, the akamai content): 23.9.229.210:443 > :62712, AS Seq=#, Ack=-# -Black List Defense This seems like a stupid question, but how do I set up a firewall rule to allow HTTPS on a basic packet filter firewall? The purpose is I want to be able to browse to sites like and have all images load etc. Setting up Firewall rule for HTTPS websites on basic stateless packet filter firewall
0 Comments
Leave a Reply. |