Basics of TCP/IP, Switching, Routing and Firewalling.

Why this article ?

After reading the following question at least a gazillion times: My DCC is not working ... can anyone help me pls ??, i ha e !een thinking a!out the cause or causes of this "pro!lem" for quite some time now. Most of the people asking this question did e erything alright configuring the Chat#Client or other applications they are using to connect to the internet. DCC or other network#ser ices should !e working fine, !ut they don"t. $he most common reason for the pro!lems those people are facing is, in my honest opinion, a not properly configured piece of the network. Due to this, the "information" needed !y the "other side" %remote host& is not !eing transmitted o er the network %'n this case the network is the "!ad, !ad" 'nternet.&, or the packages send !y the remote host are not reaching the network in which the requesting computer %local host& resides. $o ha e a !etter understanding why this is happening, one has to know what the different networking de ices are doing with the network traffic they send and recei e. $he network that people think they are using will %simplified& !asically look like this:

(ocal host

)outer*

'nternet

)outer+

)emote ,ost

Most people connecting to the internet nowadays are using a nice little thing they call a )outer or D-(#)outer. $his is where some of the pro!lems start... 's this nice little nifty de ice only a )outer? .r is there more !ehind it? $o understand what this wonderful piece of technique is capa!le of we need to know a !it more a!out the different pieces a little home network is made of and how they work. /ow where to start? 'magine a user somewhere on this world, sitting !ehind a computer, pushing the power#!utton, waiting for the .- coming up, then starting his or her fa ourite !rowser %which i hope is Mozilla 0irefo1 2&& and starts typing www.google.de after doing this hitting the enter#key. 3hat happens ne1t...? $he 4erman starting#page of the searching machine google appears on the screen in front of that user. /ow that"s easy? 'sn"t it :& ,mmm... was this really as easy as it looked like? Definitely not 2& $o understand what happens we will need a !it of theory. '"ll try to keep this as !rief as possi!le.

TCP/IP !etwor"ing
An 5thernet local area network %(A/& is essentially a %logical& !us !ased !roadcast network2 though the physical implementation may use hu!s %with a physical star topology&. As one would

e1pect, !roadcast (A/s must deal with collisions2 either !y pre enting them or detecting them and taking appropriate action. $oken !ased (A/s a oid collisions !y only allowing one host at time to transmit %the host that currently has the token may transmit&. -tandards that relate to (A/s are primarily the '555 67+.1 series. 0or instance, 67+.8 is the Media Access Control %MAC& standard for %Carrier -ense Multiple Access with Collision Detection& C-MA9CD %the 5thernet standard&2 while 67+.: is the MAC standard for $oken )ing. ;ust a!o e the MAC le el is the (ogical (ink Control %67+.+& standard and a!o e that it the ,igh (e el 'nterface %67+.*& standard. 3ithin a (A/, addressing is done with a MAC address. <etween (A/s %connected o er the 'nternet %3A/ %3ide Area /etwork&&, ha ing )outers in !etween& using $C=9'=, addressing is done using '= addresses. 'f you are lost at this point, keep reading !ecause much of this will !e e1plained !elow 2&

The #SI $odel

After $C=9'= was well#esta!lished and other networking protocols, such as D5Cnet and /o ell>s '=? were operational, the 'nternational -tandardization .rganization %'-.& de eloped the .pen -ystems 'nterconnection %.-'& se en layer reference model. $he following list details the se en layers of the .pen -ystem 'nterconnection %.-'& reference model: #SI %ayer !a&e @ (ayer A B Application @ (ayer C B =resentation @ (ayer : B -ession @ (ayer D B $ransport @ (ayer 8 B /etwork @ (ayer + B Data link Functional 'escri(tion 'nterface !etween network and application software. ,ow data is presented, 5ncryption. 5sta!lishing maintaining and managing end# to#end !idirectional flows !etween endpoints. )elia!le or unrelia!le deli ery, Multiple1ing. (ogical addressing, which routers use for path determination Com!ination of !its into !ytes, and !ytes into frames. Access to media using MAC#address. 5rror detection and error reco ery. @ (ayer * B =hysical Mo ing !its !etween de ices. -pecification of oltage, wire speed and ca!le pinouts. 5'A9$'A#+8+, F.8: 67+.8967+.+ ,D(C )*a&(les $elnet, ,$$=, 333#<rowsers ;=54, A-C'' .perating systems Application access $C=, ED=, -=? '=, '=?

$he se en layers of the .-' reference model can !e di ided into two categories: upper layers and lower layers. $he upper layers of the .-' model deal with application issues and generally are implemented only in software. $he lower layers of the .-' model handle data transport issues. $he physical layer and the data link

layer are implemented in hardware and software. $he lowest layer, the physical layer, is closest to the physical network medium %the network ca!ling, for e1ample& and is responsi!le for actually placing information on the medium.

A wide ariety of communication protocols e1ist. -ome of these protocols include (A/ %(ocal Area /etwork& protocols, 3A/ %3ide Area /etwork& protocols, network protocols, and routing protocols. LAN protocols operate at the physical and data link layers of the .-' model and define communication o er the arious (A/ media. WAN protocols operate at the lowest three layers of the .-' model and define communication o er the arious wide#area media. Routing protocols are network layer protocols that are responsi!le for e1changing information !etween routers so that the routers can select the proper path for network traffic. 0inally, network protocols are the arious upper#layer protocols that e1ist in a gi en protocol suite. Many protocols rely on others for operation. 0or e1ample, many routing protocols use network protocols to e1change information !etween routers. A gi en layer in the .-' model generally communicates with three other .-' layers: the layer directly a!o e it, the layer directly !elow it, and its peer layer in other networked computer systems. $he data link layer in -ystem A, for e1ample, communicates with the network layer of -ystem A, the physical layer of -ystem A, and the data link layer in -ystem <.

/ow, lets go !ack to our little e1ample. A user somewhere on this world pushes the power !utton of his computer. $he computer starts his <'.- %<asic 'nput .utput -ystem& and does a =.-$ %=ower .n -elf $est& after doing a few more tests it searches for the .- %.perating -ystem& and starts it. 'n other words, this computer is running through the .-'#Model from !ottom to top. -tarting with layer one and ha ing reached layer fi e when the !asics of the .- are running. /ow the 4E' %4raphical Eser 'nterface& is started and this computer runs through the layers si1 and

se en. 3hy is this computer already running on layer se en of the .-'#Model? 't"s simple, hence: the 4E' of Microsoft .- 3indows is e1plorer.e1e which is an application. /ow the we! !rowser is started, the user types www.google.de and hits the enter#key. $his data is processed from top to !ottom of the .-'#model and send o er the network.

The +o&e !etwor"

/ow that we ha e come this far, it"s time to !reak up our little home network into piece"s and ha e a closer look at the single components. (ets start with the thing your are pro!a!ly sitting in front of, reading this document.

The Co&(uter
As we already know this is a nice piece of technique that is capa!le of running on all se en layers of the .-'#model. 3hy is this important? Gou will see in a few. $his de ice allows you to run applications %.-'#layer A& and is capa!le of sending data o er the network using the /'C %/etwork 'nterface Card& which is running on .-'#layer +. 3hy has the /'C to !e a .-'#layer + de ice? 't"s simple, it has a hardware decoded MAC#address and has, when it"s not a wireless one, a piece of ca!le plugged in, connecting it to a hu! or switch. 't does not know anything a!out '=#addresses, port num!ers and the protocol that is pro!a!ly running in the little home network... $C=9'=. $C=9'= %$ransport Control =rotocol9'nternet =rotocol& is a protocol suite that is implemented in the

.- you are using and is running on .-'#layer 8 and D the network and transport layer. $C=9'= is responsi!le for you ha ing an '=#address and deli ers the possi!ility to the computer to communicate with other systems using '=#addresses, a su!netmask, portnum!ers and a default gateway. $he a!ility that your computer can run at .-'#layer D using $C=9'= makes it possi!le to use this de ice to run a firewall on it. Most of you will ha e at least one firewall running on the computer when ha ing installed 3indows ?= -=+. $his firewall is acti e !y default and could !e a possi!le cause for !locking traffic you"d rather like to get. %-ee we are getting to the point now 2&& Most users connecting to the internet don"t know that one firewall, though it isn"t a good one in my opinion, is already up and running, so they download a third#party product, like Hone Alarm. $hey install this firewall, and not really knowing what they are doing, they click on allow or !lock this or that application or traffic. ,a ing a second, pro!a!ly misconfigured, firewall up and running. Due to the fact that most people know that iruses can !e really nifty things and are, without proper knowledge, not easy to remo e from an infected system. $hey purchase or download an anti irus product %like <itdefender, /ortonAF&, not knowing that nowadays most of these software packages ha e a !uild in firewall that is installed and... up and running !y default. $o !e sure that no irus can infect the computer, they use se eral products from different endors, or they install different products from cd"s9d d"s coming with computer magazins. /ow already 8#D %or e en more& firewalls are running on the computerI 3hen scrolling !ack up to the little network at the !eginning of this article i think this one already needs a re ision2& $he ne1t part of the home network is the network#ca!le connecting the computers /'C to the hu! or switch. Could this piece of the network !e responsi!le for the connecti ity pro!lems? Gup II 3hen it"s !roken or not connected, !ecause it"s a .-'#layer * piece of it 2& .J let"s presume the ca!le isn"t causing the pro!lems. $he ne1t piece of our network would !e the hu! or switch.

+u,s and Switches

3hat is the difference !etween a hu! and a switch, how do they work and could they !e responsi!le for parts of the data transmission not working like it should? Most people think of hu!s and switches !eing kind of a multiple socket outlet for connecting computers. <asically this is true for most of the de ices used in small home9office networks. 3hen a hu! recei es a data packet, it "shouts" it out of all ports, !eside the one he recei ed the packet on. -o all computers connected to the hu! are recei ing that packet. 't does not matter if that packet had that destination or not. ,ow does a computer know if that little packet was determined for him or not? $hat"s ery simple... the computers /'C reads out the destination MAC#address in the packets header and accepts the packet when it"s his MAC, otherwise the /'C drops the packet. <ecause of this a hu! is working on layer + of the .-'#model. 't cannot !e responsi!le for not letting through any packets recei ed !y this de ice. Due to the fact that hu!s are causing a lot of unnecessary networking traffic switches were in ented. A switch "learns" the MAC#addresses of the computers /'C"s connected to his ports, writing them down in a MAC#address ta!le. 3hen a switch recei es a data packet on one port, it reads out the destination MAC#address from the packet header and then forwards the packet to the port on which the /'C ha ing this address is connected to. $hus reducing the network traffic a ery good amount. $he only traffic transported out of e ery port of the switch, apart from the port the switch is

recei ing this packet, is the !roadcast traffic the computers connected to the switch are causing. $his "one#to#one" communication still does not need '=#addresses, it is !ased on MAC#addresses only. $hat"s why a switch is a .-'#layer + de ice too. 't cannot !e responsi!le for reKecting any network traffic and therefore can not !e a part of the trou!le shooting for users not !e a!le to DCC or trying to use any other networking ser ices. /ow i can see a !it of glooming coming into your eye"s. $here"s only one de ice left in our little home network, !eside of that dang computer that already has a num!er of firewalls running on it, that could cause the pro!lems we are so eager to sol e2&& ' can see you thinking... ,A,I 't"s gotta !e the )outerIII

What is Routing?
)outing is the act of mo ing information across an internetwork from a source to a destination. Along the way, at least one intermediate node typically is encountered. )outing is often contrasted with !ridging, which might seem to accomplish precisely the same thing to the casual o!ser er. $he primary difference !etween the two is that !ridging occurs at (ayer+ %the link layer& of the .-'# reference model, whereas routing occurs at (ayer 8 %the network layer&. $his distinction pro ides routing and !ridging with different information to use in the process of mo ing information from source to destination, so the two functions accomplish their tasks in different ways. )outing in ol es two !asic acti ities: determining optimal routing paths and transporting information groups %typically called packets& through an internetwork. 'n the conte1t of the routing process, the latter of these is referred to as packet switching. Although packet switching is relati ely straightforward, path determination can !e ery comple1. -witching algorithms is relati ely simple2 it is the same for most routing protocols. 'n most cases, a host determines that it must send a packet to another host. ,a ing acquired a router>s address !y some means, the source host sends a packet addressed specifically to a router>s physical %Media Access Control %MAC&#layer& address, this time with the protocol %network layer& address of the destination host. As it e1amines the packet>s destination protocol address, the router determines that it either knows or does not know how to forward the packet to the ne1t hop. 'f the router does not know how to forward the packet, it typically drops the packet. 'f the router knows how to forward the packet, howe er, it changes the destination physical address to that of the ne1t hop and transmits

the packet. $he e1ample a!o e shows two hosts communicating with each other using three routers !etween them. 'f the three routers are part of the 'nternet, it will only work this way when !oth hosts ha e alid pu!lic '=#addresses assigned to them.

!etwor" -ddress Translation

/A$, defined in )0C *C8*, allows a host that does not ha e a alid registered '= address to communicate with other hosts through the 'nternet. $he hosts might !e using pri ate addresses or addresses assigned to another organization. 'n either case, /A$ allows these addresses that are not 'nternet#ready to continue to !e used and still allows communication with hosts across the 'nternet. /A$ achie es its goal !y using a alid registered '= address to represent the pri ate address to the rest of the 'nternet. $he /A$ function changes the pri ate '= addresses to pu!licly registered '= addresses inside each '= packet.

/otice that the router, performing /A$, changes the packet>s source '= address when lea ing the pri ate organization and the destination address in each packet forwarded !ack into the pri ate network. %/etwork +77.*.*.7 is registered in this figure& $he /A$ feature, configured in the router la!eled /A$, performs the translation.

#.erloading !-T with Port -ddress Translation /P-T0

-ome networks need to ha e most, if not all, '= hosts reach the 'nternet. 'f that network uses pri ate '= addresses, the /A$ router needs a ery large set of registered '= addresses. 3ith static /A$, for each pri ate '= host that needs 'nternet access, you need a pu!licly registered '= address. . erloading allows /A$ to scale to support many clients with only a few pu!lic '= addresses. $he key to understanding how o erloading works is to recall how ports are used in $C=9'=. $he figure !elow details an e1ample that helps make the logic !ehind o erloading more o! ious. $he top part of the figure shows a network with three different hosts connecting to a we! ser er using $C=. $he !ottom half of the figure shows the same network later in the day, with three $C= connections from the same client. All si1 connections connect to the ser er '= address %*A7.*.*.*& and 333 port %67, the well#known port for we! ser ices&. 'n each case, the ser er differentiates !etween the arious connections !ecause their com!ined '= address and port num!ers are unique.

/A$ takes ad antage of the fact that the ser er really doesn>t care if it has one connection each to three different hosts or three connections to a single host '= address. -o, to support lots of inside pri ate '= addresses with only a few glo!al, pu!licly registered '= addresses, /A$ o erload uses =ort Address $ranslation %=A$&. 'nstead of Kust translating the '= address, it also translates the port num!er. /A$ o erload can use more than C:,777 port num!ers, allowing it to scale well without needing ery many registered '= addresses, in many cases, like in small .ffice9,ome /etworks, needing only one. $aking the de ice called a "router" !y most users apart, it contains different components. $he following figure pictures the different components out. $hese are a hu!9switch, the router and a D-(9Ca!le modem.

/ow ha ing a deeper insight in the !asic things the router part of the de ice, connecting you to the 'nternet, in your small home network is doing, itLs time to ask the reader of this document a question 2& 3hat protocol type is used !y the router and what .-'#layer is that protocol running on? $he answer to this question should !e quite simple for you now. <ecause of the fact, that the router performs a port and an address translation using /A$ o erload com!ined with =A$ it has to !e $C=9'=. $his protocol suite works at .-'#layers D and 8, so there has to !e a possi!ility to apply filter rules. Applying filter rules can !e done on the interfaces of the router. $hese filter rules can !e applied on !oth interfaces, the internal and e1ternal. /etwork traffic on the interfaces can occur in two directions, incoming and outgoing. /ow ha ing a deeper insight in what different networking de ices are doing and how they work it"s time to pick up the last topic.

Firewalling
-etting up a firewall seems to !e easy and pretty straightforward for most users. 't"s nothing more than installing a piece of software, then allowing or !locking network traffic caused !y applications running on the users computer !y means of a few mouseclicks. /ow the user feels safe !ehind the nice little !rick wall running on his or her computer. <efore !eing a!le to understand a discussion of firewalls, it>s important to understand the !asic principles that make firewalls work. What is a Firewall? A firewall is a system or group of systems that enforces an access control policy !etween two or more networks. $he actual means !y which this is accomplished aries widely, !ut in principle, the firewall can !e thought of as a pair of mechanisms: one which e1ists to !lock traffic, and the other which e1ists to permit traffic. -ome firewalls place a greater emphasis on !locking traffic, while others emphasize permitting traffic. =ro!a!ly the most important thing to recognize a!out a firewall is that it implements an access control policy. 'f you don>t ha e a good idea of what kind of access you want to allow or to deny, a firewall really won>t help you. 't>s also important to recognize that the firewall>s configuration, !ecause it is a mechanism for enforcing policy, imposes its policy on e erything !ehind it. Why should i want a firewall? $he 'nternet, like any other society, is plagued with the kind of Kerks who enKoy the electronic equi alent of writing on other people>s walls with spraypaint, tearing their mail!o1es off, or Kust sitting in the street !lowing their car horns. -ome people try to get real work done o er the 'nternet, and others ha e sensiti e or proprietary data they must protect. Esually, a firewall>s purpose is to keep the Kerks out of your network while still letting you get your Ko! done. What can a firewall (rotect against? 4enerally, firewalls are configured to protect against unauthenticated inter# acti e logins from the

MoutsideN world. $his, more than anything, helps pre ent andals from logging into machines on your network. More ela!orate firewalls !lock traffic from the outside to the inside, !ut permit users on the inside to communicate freely with the outside. 3hen it"s a piece of hardware, the firewall can protect you against any type of network#!orne attack if you unplug it. What can1t a firewall (rotect against? 0irewalls can>t protect against tunneling o er most application protocols to troKaned or poorly written clients. $unneling M!adN things o er ,$$=, -M$=, and other protocols is quite simple and tri ially demonstrated. (astly, firewalls can>t protect against !ad things !eing allowed through them. 0or instance, many $roKan ,orses use the 'nternet )elay Chat %')C& protocol to allow an attacker to control a compromised internal host from a pu!lic ')C ser er. 'f you allow any internal system to connect to any e1ternal system, then your firewall will pro ide no protection from this kind of attack. What are the ,asic ty(es of firewalls? <asically there are three types of firewalls: /etwork (ayer, Application (ayer and ,y!rid 0irewalls. %)emem!er the A layered .-'#Model?& A good e1ample for a /etwork (ayer firewall is a router. $his de ice is capa!le of e1amining the packets header and reading out the information contained there. $he information that can !e filtered on is: $he source '=#Address, source port, destination '=# Address, destination port and protocol type %$C=,ED= aso&. An Access Control (ist %AC(&, containing different filter rules, could !e implemented on the internal interface permitting or denying outgoing traffic !ased on this information. $he same could !e done on the e1ternal interface permitting or denying the incoming traffic. Application layer firewalls generally are hosts running pro1y ser ers, which permit no traffic directly !etween networks. Application layer firewalls can !e used as network address translators, since traffic goes in one MsideN and out the other, after ha ing passed through an application that effecti ely masks the origin of the initiating connection. Most of you will ask now, pro1y ser er, /A$... how can this !e? My computer has only one /'C !uild in, or only one /'C connected to the switch and router connecting me to the 'nternet, i" e got only one '=#Address, and this guy is talking a!out traffic !etween networks?? -till there is an application firewall running on my computer??? $he answer is simple. $he pro1y ser er and /A$ are running on the local loop!ack address %*+A.7.7.*& of the computer you are using. ,a e a look at the routing ta!le used !y your computer, typing route print in the command line, it should look something like this.

And here is a screenshot of the connections open for 0irefo1 Kust ha ing refreshed the starting page of google.de and the firewall running on the computer at my apartment. Gou will see that the firewall and 0irefo1 !oth are communicating o er the local loop!ack interface of the computer.

Most firewalls now lie some place !etween network layer and application layer firewalls. As e1pected, network layer firewalls ha e !ecome increasingly MawareN of the information going through them, and application layer firewalls ha e !ecome increasingly Mlow le elN and transparent. What -((lication Ser.ices ha.e to ,e Su((orted? <efore setting up the firewall on the router or computer, you ha e to decide what ser ices are needed for the users and computers that are !ehind that firewall. -ome of the most common

ser ices are listed !elow. Ser.ice <asic $C= =rotocols .ther ED= 0$= Mail %-M$=& ,.8+8 %/etmeeting& )ealAudio %)$-=& 'efinition 4eneric connected $C= =rotocols, such as ,$$=, =.=8, $elnet, --(, etc. 4eneric ED=#-er ices such as D/-, /$=, $0$=, 'J5, -/M=, etc. Control connection on $C= =ort +*, Data on $C= =ort O *7+D Connect $C= =rotocol on =ort +: ,.8+8 ideo conference protocol o er ED= )eal#$ime -treaming =rotocol o er ED= or $C=

0or e1ample, a reasona!le list of desired ser ices for many installations is: D/-, /$=, ,$$=, 0$=, and $elnet, plus -M$= and =.=8 to the mail ser er only. 0or many of us using ')C a MfewN ports ha e to !e opened for this ser ice too. 0or a full list of ser ices and the related ports %$C=9ED=& assigned !y the 'A/A %'nternet Assigned /um!ers Authority& pls. refer to this we!page: http:99www.iana.org9assignments9port#num!ers What2s a Port? A MportN is a M irtual slotN in your $C= and ED= stack that is used to map a connection !etween two hosts, and also !etween the $C=9ED= layer and the actual applications running on the hosts. $hey are num!ered 7PC::8:, with the range 7P*7+8 !eing marked as Mreser edN or Mpri ilegedN, and the rest %*7+DPC::8:& as MdynamicN or Munpri ilegedN. $here are !asically two uses for ports: M(isteningN on a port. $his is used !y ser er applications waiting for users to connect, to get to some Mwell known ser iceN, for instance ,$$= %$C= port 67&, $elnet %$C= port +8&, D/- %ED= and sometimes $C= port :8&. .pening a MdynamicN port. <oth sides of a $C= connection need to !e identified !y '= addresses and port num!ers. ,ence, when you want to MconnectN to a ser er process, your end of the communications channel also needs a MportN. $his is done !y choosing a port a!o e *7+D on your machine that is not currently in use !y another communications channel, and using it as the MsenderN in the new connection. Dynamic ports may also !e used as MlisteningN ports in some applications, most nota!ly 0$=, and for us this one is true for DCC too. =orts in the range 7P*7+8 are almost always ser er ports. =orts in the range *7+DPC::8: are usually dynamic ports %i.e., opened dynamically when you connect to a ser er port&. ,owe er, any port may !e used as a ser er port, and any port may !e used as an

MoutgoingN port. -o, to sum it up, here>s what happens in a !asic connection %scroll !ack to the o erloading /A$ with =A$ and ha e another look at the 8 =CLs connecting to one ser er to ha e a picture of it&: At some point in time, a ser er application on host *A7.*.*.* decides to MlistenN at port 67 %,$$=& for new connections. Gou %*7.*.*.8& want to surf to *A7.*.*.*, port 67, and your !rowser issues a connect call to it. $he connect call, realising that it doesn>t yet ha e a local port num!er, goes hunting for one. $he local port num!er is necessary since when the replies come !ack some time in the future, your $C=9'= stack will ha e to know to what application to pass the reply. 't does this !y remem!ering what application uses which local port num!er. %$his is ery, ery much simplified, no flames from $C=9'= e1perts and programmers, please.& Gour $C= stack finds an unused dynamic port, usually somewhere a!o e *7+D. (et>s assume that it finds *788. Gour first packet is then sent, from your local '=, *7.*.*.8, port *788, to *A7.*.*.*, port 67. $he ser er responds with a packet from *A7.*.*.*, port 67, to you, *7.*.*.8, port *788. $his procedure is actually much longer than this, !ut it points out the !asics of your computer contacting the ,$$=#ser ice running on *A7.*.*.*, MlisteningN on port 67. What are %istening Ports ? -uppose you did Mnetstat #aN on your machine and ports *7+: and *787 showed up as ('-$5/ing. 3hat do they do? )ight, let>s take a look in the assigned port num!ers list. !lackKack *7+:9tcp network !lackKack iad* *7879tcp <</ 'AD 3ait, what>s happening? ,as my workstation stolen my F'-A num!er and decided to go play !lackKack with some rogue ser er on the internet? And what>s that software that <</ has installed? $his is /.$ where you start panicking. 'n fact, this question has !een asked may!e a gazillion times, and e ery time it>s !een answered. /ot that $,A$ keeps people from asking the same question again. 'f you are asking this question, you are most likely using a windows !o1. $he ports you are seeing are %most likely& two listening ports that the )=C su!system opens when it starts up. $his is an e1ample of where dynamicly assigned ports may !e used !y ser er processes. Applications using )=C will later on connect to port *8: %the net!ios MportmapperN& to query where to find some )=C ser ice, and get an answer !ack saying that that particular ser ice may !e contacted on port *7+:. /ow, how do we know this, since there>s no MlistN descri!ing these ports? -imple: $here>s no su!stitute for e1perience. And using the mailing list search engines also helps a hell of a lot. +ow do i deter&ine what Ser.ice the Port is for? -ince it is impossi!le to learn what port does what !y looking in a list, how do i do it? $he old hands#on way of doing it is !y shutting down nearly e ery ser ice9daemon running on your machine, doing netstat #a and taking note of what ports are open. $here shouldn>t !e ery many listening ones. $hen you start turning all the ser ices on, one !y one, and take note of what new ports show up in your netstat output.

Another way, that needs more guess work, is simply telnetting to the ports and see what comes out. 'f nothing comes out, try typing some gi!!erish and slamming 5nter a few times, and see if something turns up. 'f you get !inary gar!le, or nothing at all, this o! iously won>t help you. :#& ,owe er, this will only tell you what listening ports are used. 't won>t tell you a!out dynamically opened ports that may !e opened later on !y these applications. $here are a few applications that might help you track down the ports used. .n Eni1 systems, there>s a nice utility called lsof that comes preinstalled on many systems. 't will show you all open port num!ers and the names of the applications that are using them. $his means that it might show you a lot of locally opened files as well as $C=9'= sockets. )ead the help te1t. :#& .n windows systems, nothing comes preinstalled to assist you in this task. %3hat>s new?& $here>s a utility called M'nziderN which installs itself inside the windows sockets layer and dynamically remem!ers which process opens which port. $he draw!ack of this approach is that it can>t tell you what ports were opened !efore inzider started, !ut it>s the !est that you>ll get on windows %to my knowledge&. http:99ntsecurity.nu9tool!o19inzider9 What Ports are safe to (ass through a Firewall? A((. /o, wait, /./5. /o, wait, uuhhh... '> e heard that all ports a!o e *7+D are safe since they>re only dynamic?? /o. )eally. Gou CA//.$ tell what ports are safe simply !y looking at its num!er, simply !ecause that is really all it is. A num!er. Gou can>t mount an attack through a *C#!it num!er. $he security of a MportN depends on what application you>ll reach through that port. A common misconception is that ports +: %-M$=& and 67 %,$$=& are safe to pass through a firewall. QmeepQ 3)./4. ;ust !ecause e eryone is doing it doesn>t mean that it is safe. Again, the security of a port depends on what application you>ll reach through that port. 'f you>re running a well#written we! ser er, that is designed from the ground up to !e secure, you can pro!a!ly feel reasona!ly assured that it>s safe to let outside people access it through port 67. .therwise, you CA/>$. $he same it true for MinsideN users isiting a compromised we!site on port 67 %,$$=&. $his we!site will send you the irus, or other /.$ wanted data, to the application that requested this data on the MdynamicallyN assigned port on the local computer. $he pro!lem here is not in the network layer. 't>s in how the application processes the data that it recei es. $his data may !e recei ed through port 67, port CCC, a serial line, floppy or through singing telegram. 'f the application is not safe, it does not matter how the data gets to it. $he application data is where the real danger lies. 'f you are interested in the security of your application, go su!scri!e to !ugtraq http:99www.securityfocus.com or try searching their archi es. $his is more of an application security issue rather than a firewall security issue. .ne could argue that a firewall should stop all possi!le attacks, !ut with the num!er of new network protocols, /.$ designed with security in mind, and networked applications, neither designed with security in mind, it !ecomes impossi!le for a firewall to protect against all data#dri en attacks. +ow do &ost 3&odern4 a((lication Firewalls wor"? After ha ing installed an application 0irewall on your computer this piece of software, that we know now, is a pro1y#ser er performing /A$9=A$ on the local loop!ack interface of the computer, normally has only one single filter rule. 'eny Any#Direction Any#(ocal#'= Any#(ocal#=ort Any#)emote#'= Any#)emote#=ort $his means, that the 0irewall will D5/G all traffic from all local =orts, all local '=Ls to any remote

'=Ls and any remote =orts %=rotocols9-er ices& and isa ersa. $hus letting no traffic out of the computer nor letting any traffic into the machine. $his '- pretty sa e? 'sn"t it? 3hen you start your 3e! <rowser, let"s say this one is Mozilla 0irefo1, located at Mc:RApplication DirectoryRfirefo1.e1eN, this application will try to reach the starting page, for e1ample www.google.com, you use on the 'nternet on port 67. 3hat happens? $he firewall will ask you if you want to permit or deny traffic from this application and if the filter rule, thatLs going to !e created, should !e remem!ered or not. Gou D. want to surf the we! of course, now clicking on =ermit and )emem!er this )ule, ne er ask me again. <ingoIII... youLr online, you are a!le to surf the we!, you can go e erywhere you want to :#& ..J. a new filter rule has !een created on the firewall. ,ow does that one look like? <ecause of the fact that the application firewall doesLt know anything a!out ports, protocols, '=# addresses and directions that are required for this connection, the set of filter rules running on the firewall will now look like this. Per&it Any#Direction Any Any Any Any Mc:RApplication DirectoryRfirefo1.e1eN MD:#Checksum 'eny Any#Direction Any#(ocal#'= Any#(ocal#=ort Any#)emote#'= Any#)emote#=ort III Ges, D. reread that Per&it Rule a few times III And, G5-, think that one o er III $his filter rule permits the application firefo1.e1e, located in the MApplication DirectoryN on the hard disk la!elled c:R, to send data from any local port and '=#address to any remote '=#Address and to any remote port. $his part of the filter rule allows the 333#<rowser to send a request for data %outgoing '=#traffic& from a local %dynamically assigned O*7+D& port %this is still what we like to ha e& to any remote host %thatLs o.k. too www.google.com and www.cisco.com will ha e a different '=#addresses& regardless to the port %ser ice& that is requested. And this isn"t what we like to ha eII $he requested ser ice was ,$$=, so the port#num!er the remote host is listening on is 67. $he only outgoing '=# traffic we need, in this case, will go to port 67. $he '=#traffic that is send !ack will come from the remote host, ha ing the source port 67, and ha ing our dynamically assigned local port and the e1ternal '=#address of our router, as destination. $his traffic will !e handled !y the /A$9=A$ part of the router, and firewall, passing it to the port the application that requested it is listening on. 't also allows this application to recei e data from any remote '=#address and any remote port to any local '=#Address and any local port. $his would only !e needed if the application, in this case firefo1.e1e, is listening on a certain port, running a ser er#ser ice. -o this part of the filter rule is not needed at all. $he MD:#Checksum is a so called Mhash# alueN that is calculated on the !asis of the current MstateN of the application. $his alue looks something like this: MA55A6SAAC+S86+<E6SJ+8DCN, and this alue is specific for any application running on your computer. $he first thing you are protected from is, an MattackerN changing a part of the application and this causing the MD:#Checksum to change.%,a e you e er wondered why the firewall isn"t asking you to create a new filter rule after loading a new script#file into your m')C?& $he firewall will ask you if the changed application, still ha ing the same name and still located at the same place on the hard disk, should !e allowed to connect to the internet in the future. Most users will think that this is o.k., !ecause they donLt e1actly know what was the cause, and will allow the application, now running some mallware too, to connect to the internet in the future. $he piece of mallware could now use A/G remote port it wantLs, connecting to A/G remote '=# Address, recei ing data on A/G local port and '=#Address.

$he second thing you are protected from is: an MattackerN installing a new application that tries to connect to the internet. 'f that application tries to do so, the firewall will ask you if that application should !e allowed to do so or not. $he third thing that the firewall is protecting you from is: an MattackerN trying to connect to an application that has no entry in the filter rules list that the firewall is working with. Cause of the fact that the firewall still has his last rule: Deny anything else coming in or going out of the machine that i do /.$ know of, and9or gi e the user a warning if Kust this happens. Ser.ices, Port nu&,er, Ty(e, 'irection o.er.iew $his is only a short o er iew of the most common ser ices used !y most of the people using a computer connecting them to the internet, the protocol#type, and the direction that should !e opened in the firewall running on the computer used for that. Ser.ice D/,$$=9,$$=0$= $5(/5$ =.=8 -M$= ')CE 'D5/$ Port nu&,er :8 679DD8 +79+* +8 **7 +: CCC:#CCCS9A777 **8 Ty(e ED= $C= $C=9ED= $C=9ED= $C= $C= $C=9ED= $C= $C=9ED= $C=9ED= $C=9ED= $C=9ED= ? ? ? ? ? ? ? 'irection, Inco&ing #utgoing ? ? ? ? ? ? ?

=ri ate 0ile -er ice :S //$= /$= )emote Desktop **S *+8 88S6

A complete list of ports registered at the 'A/A can !e found here: http:99www.iana.org9assignments9port#num!ers $he ports for Mincoming trafficN should ./(G then !e opened if G.E) computer has to pro ide this particular ser ice. 0or e1ample: 'f your using your 3e!#<rowser to connect to the internet and to download files using 0$=, you should allow outgoing traffic, $C=9ED= on port +7,+* and $C= on port 67 and DD8 for this particular application only. 0or your 5#Mail client you should allow outgoing traffic, $C= only on port +: and **7, allowing

you to send and recei e 5#Mails. (ast !ut not least, here are three useful links for people ha ing pro!lems with DCC and m')C: http:99www.irc!eginner.com9ircinfo9dcc#trou!le.html http:99www.mirc.org9dcchelp.html http:99www.mircscripts.org9showdoc.php?typeTtutorialUidT+8::