Basics of TCP/IP, Switching, Routing and Firewalling.

Why this article ?

After reading the following question at least a gazillion times: My DCC is not working ... can
anyone help me pls ??, i hae !een thinking a!out the cause or causes of this "pro!lem" for quite
some time now.
Most of the people asking this question did eerything alright configuring the Chat#Client or other
applications they are using to connect to the internet. DCC or other network#serices should !e
working fine, !ut they don"t.
$he most common reason for the pro!lems those people are facing is, in my honest opinion, a not
properly configured piece of the network. Due to this, the "information" needed !y the "other side"
%remote host& is not !eing transmitted oer the network %'n this case the network is the "!ad, !ad"
'nternet.&, or the packages send !y the remote host are not reaching the network in which the
requesting computer %local host& resides.
$o hae a !etter understanding why this is happening, one has to know what the different
networking deices are doing with the network traffic they send and receie.
$he network that people think they are using will %simplified& !asically look like this:
(ocal host )outer* 'nternet )outer+ )emote ,ost
Most people connecting to the internet nowadays are using a nice little thing they call a )outer or
D-(#)outer. $his is where some of the pro!lems start... 's this nice little nifty deice only a
)outer? .r is there more !ehind it?
$o understand what this wonderful piece of technique is capa!le of we need to know a !it more
a!out the different pieces a little home network is made of and how they work.
/ow where to start? 'magine a user somewhere on this world, sitting !ehind a computer, pushing
the power#!utton, waiting for the .- coming up, then starting his or her faourite !rowser %which i
hope is Mozilla 0irefo1 2&& and starts typing www.google.de after doing this hitting the enter#key.
3hat happens ne1t...? $he 4erman starting#page of the searching machine google appears on the
screen in front of that user. /ow that"s easy? 'sn"t it :&
,mmm... was this really as easy as it looked like? Definitely not 2&
$o understand what happens we will need a !it of theory. '"ll try to keep this as !rief as possi!le.
TCP/IP!etwor"ing
An 5thernet local area network %(A/& is essentially a %logical& !us !ased !roadcast network2
though the physical implementation may use hu!s %with a physical star topology&. As one would
e1pect, !roadcast (A/s must deal with collisions2 either !y preenting them or detecting them and
taking appropriate action. $oken !ased (A/s aoid collisions !y only allowing one host at time to
transmit %the host that currently has the token may transmit&.

-tandards that relate to (A/s are primarily the '555 67+.1 series. 0or instance, 67+.8 is the Media
Access Control %MAC& standard for %Carrier -ense Multiple Access with Collision Detection&
C-MA9CD %the 5thernet standard&2 while 67+.: is the MAC standard for $oken )ing. ;ust a!oe
the MAC leel is the (ogical (ink Control %67+.+& standard and a!oe that it the ,igh (eel
'nterface %67+.*& standard.
3ithin a (A/, addressing is done with a MAC address. <etween (A/s %connected oer the
'nternet %3A/ %3ide Area /etwork&&, haing )outers in !etween& using $C=9'=, addressing is
done using '= addresses. 'f you are lost at this point, keep reading !ecause much of this will !e
e1plained !elow 2&
The #SI$odel
After $C=9'= was well#esta!lished and other networking protocols, such as D5Cnet and /oell>s
'=? were operational, the 'nternational -tandardization .rganization %'-.& deeloped the .pen
-ystems 'nterconnection %.-'& seen layer reference model.
$he following list details the seen layers of the .pen -ystem 'nterconnection %.-'& reference
model:
#SI%ayer !a&e Functional 'escri(tion )*a&(les
@ (ayer A B Application 'nterface !etween network and application $elnet, ,$$=,
software. 333#<rowsers
@ (ayer C B =resentation ,ow data is presented, 5ncryption. ;=54, A-C''
@ (ayer : B -ession 5sta!lishing maintaining and managing end# .perating systems
to#end !idirectional flows !etween endpoints. Application access
@ (ayer D B $ransport )elia!le or unrelia!le deliery, Multiple1ing. $C=, ED=, -=?
@ (ayer 8 B /etwork (ogical addressing, which routers use for '=, '=?
path determination
@ (ayer + B Data link Com!ination of !its into !ytes, and !ytes into 67+.8967+.+
frames. Access to media using MAC#address. ,D(C
5rror detection and error recoery.
@ (ayer * B =hysical Moing !its !etween deices. -pecification of 5'A9$'A#+8+,
oltage, wire speed and ca!le pinouts. F.8:
$he seen layers of the .-' reference model can !e diided into two categories: upper layers and
lower layers.
$he upper layers of the .-' model deal with application issues and generally are implemented only
in software.
$he lower layers of the .-' model handle data transport issues. $he physical layer and the data link
layer are implemented in hardware and software. $he lowest layer, the physical layer, is closest to
the physical network medium %the network ca!ling, for e1ample& and is responsi!le for actually
placing information on the medium.
A wide ariety of communication protocols e1ist. -ome of these protocols include (A/ %(ocal
Area /etwork& protocols, 3A/ %3ide Area /etwork& protocols, network protocols, and routing
protocols. LAN protocols operate at the physical and data link layers of the .-' model and define
communication oer the arious (A/ media. WAN protocols operate at the lowest three layers of
the .-' model and define communication oer the arious wide#area media. Routing protocols are
network layer protocols that are responsi!le for e1changing information !etween routers so that the
routers can select the proper path for network traffic. 0inally, network protocols are the arious
upper#layer protocols that e1ist in a gien protocol suite. Many protocols rely on others for
operation. 0or e1ample, many routing protocols use network protocols to e1change information
!etween routers.
A gien layer in the .-' model generally communicates with three other .-' layers: the layer
directly a!oe it, the layer directly !elow it, and its peer layer in other networked computer systems.
$he data link layer in -ystem A, for e1ample, communicates with the network layer of -ystem A,
the physical layer of -ystem A, and the data link layer in -ystem <.
/ow, lets go !ack to our little e1ample. A user somewhere on this world pushes the power !utton of
his computer. $he computer starts his <'.- %<asic 'nput .utput -ystem& and does a =.-$ %=ower
.n -elf $est& after doing a few more tests it searches for the .- %.perating -ystem& and starts it.
'n other words, this computer is running through the .-'#Model from !ottom to top. -tarting with
layer one and haing reached layer fie when the !asics of the .- are running.
/ow the 4E' %4raphical Eser 'nterface& is started and this computer runs through the layers si1 and
seen. 3hy is this computer already running on layer seen of the .-'#Model? 't"s simple, hence:
the 4E' of Microsoft .- 3indows is e1plorer.e1e which is an application. /ow the we! !rowser is
started, the user types www.google.de and hits the enter#key. $his data is processed from top to
!ottom of the .-'#model and send oer the network.
The +o&e !etwor"
/ow that we hae come this far, it"s time to !reak up our little home network into piece"s and hae a
closer look at the single components.
(ets start with the thing your are pro!a!ly sitting in front of, reading this document.
The Co&(uter
As we already know this is a nice piece of technique that is capa!le of running on all seen layers of
the .-'#model. 3hy is this important? Gou will see in a few.
$his deice allows you to run applications %.-'#layer A& and is capa!le of sending data oer the
network using the /'C %/etwork 'nterface Card& which is running on .-'#layer +.
3hy has the /'C to !e a .-'#layer + deice? 't"s simple, it has a hardware decoded MAC#address
and has, when it"s not a wireless one, a piece of ca!le plugged in, connecting it to a hu! or switch. 't
does not know anything a!out '=#addresses, port num!ers and the protocol that is pro!a!ly running
in the little home network... $C=9'=.
$C=9'= %$ransport Control =rotocol9'nternet =rotocol& is a protocol suite that is implemented in the
.- you are using and is running on .-'#layer 8 and D the network and transport layer. $C=9'= is
responsi!le for you haing an '=#address and deliers the possi!ility to the computer to
communicate with other systems using '=#addresses, a su!netmask, portnum!ers and a default
gateway.
$he a!ility that your computer can run at .-'#layer D using $C=9'= makes it possi!le to use this
deice to run a firewall on it. Most of you will hae at least one firewall running on the computer
when haing installed 3indows ?= -=+. $his firewall is actie !y default and could !e a possi!le
cause for !locking traffic you"d rather like to get. %-ee we are getting to the point now 2&&
Most users connecting to the internet don"t know that one firewall, though it isn"t a good one in my
opinion, is already up and running, so they download a third#party product, like Hone Alarm. $hey
install this firewall, and not really knowing what they are doing, they click on allow or !lock this or
that application or traffic. ,aing a second, pro!a!ly misconfigured, firewall up and running.
Due to the fact that most people know that iruses can !e really nifty things and are, without proper
knowledge, not easy to remoe from an infected system. $hey purchase or download an antiirus
product %like <itdefender, /ortonAF&, not knowing that nowadays most of these software packages
hae a !uild in firewall that is installed and... up and running !y default. $o !e sure that no irus
can infect the computer, they use seeral products from different endors, or they install different
products from cd"s9dd"s coming with computer magazins. /ow already 8#D %or een more&
firewalls are running on the computerI
3hen scrolling !ack up to the little network at the !eginning of this article i think this one already
needs a reision2&
$he ne1t part of the home network is the network#ca!le connecting the computers /'C to the hu! or
switch. Could this piece of the network !e responsi!le for the connectiity pro!lems? Gup II 3hen
it"s !roken or not connected, !ecause it"s a .-'#layer * piece of it 2&
.J let"s presume the ca!le isn"t causing the pro!lems. $he ne1t piece of our network would !e the
hu! or switch.
+u,s and Switches
3hat is the difference !etween a hu! and a switch, how do they work and could they !e responsi!le
for parts of the data transmission not working like it should?
Most people think of hu!s and switches !eing kind of a multiple socket outlet for connecting
computers. <asically this is true for most of the deices used in small home9office networks.
3hen a hu! receies a data packet, it "shouts" it out of all ports, !eside the one he receied the
packet on. -o all computers connected to the hu! are receiing that packet. 't does not matter if that
packet had that destination or not. ,ow does a computer know if that little packet was determined
for him or not? $hat"s ery simple... the computers /'C reads out the destination MAC#address in
the packets header and accepts the packet when it"s his MAC, otherwise the /'C drops the packet.
<ecause of this a hu! is working on layer + of the .-'#model. 't cannot !e responsi!le for not
letting through any packets receied !y this deice.
Due to the fact that hu!s are causing a lot of unnecessary networking traffic switches were inented.
A switch "learns" the MAC#addresses of the computers /'C"s connected to his ports, writing them
down in a MAC#address ta!le. 3hen a switch receies a data packet on one port, it reads out the
destination MAC#address from the packet header and then forwards the packet to the port on which
the /'C haing this address is connected to. $hus reducing the network traffic a ery good amount.
$he only traffic transported out of eery port of the switch, apart from the port the switch is
receiing this packet, is the !roadcast traffic the computers connected to the switch are causing.
$his "one#to#one" communication still does not need '=#addresses, it is !ased on MAC#addresses
only. $hat"s why a switch is a .-'#layer + deice too. 't cannot !e responsi!le for reKecting any
network traffic and therefore can not !e a part of the trou!le shooting for users not !e a!le to DCC
or trying to use any other networking serices.
/ow i can see a !it of glooming coming into your eye"s. $here"s only one deice left in our little
home network, !eside of that dang computer that already has a num!er of firewalls running on it,
that could cause the pro!lems we are so eager to sole2&& ' can see you thinking... ,A,I 't"s gotta !e
the )outerIII
What is Routing?
)outing is the act of moing information across an internetwork from a source to a destination.
Along the way, at least one intermediate node typically is encountered. )outing is often contrasted
with !ridging, which might seem to accomplish precisely the same thing to the casual o!serer. $he
primary difference !etween the two is that !ridging occurs at (ayer+ %the link layer& of the .-'#
reference model, whereas routing occurs at (ayer 8 %the network layer&. $his distinction proides
routing and !ridging with different information to use in the process of moing information from
source to destination, so the two functions accomplish their tasks in different ways.
)outing inoles two !asic actiities: determining optimal routing paths and transporting
information groups %typically called packets& through an internetwork. 'n the conte1t of the routing
process, the latter of these is referred to as packet switching. Although packet switching is relatiely
straightforward, path determination can !e ery comple1.
-witching algorithms is relatiely simple2 it is the same for most routing protocols. 'n most cases, a
host determines that it must send a packet to another host. ,aing acquired a router>s address !y
some means, the source host sends a packet addressed specifically to a router>s physical %Media
Access Control %MAC&#layer& address, this time with the protocol %network layer& address of the
destination host. As it e1amines the packet>s destination protocol address, the router determines that
it either knows or does not know how to forward the packet to the ne1t hop. 'f the router does not
know how to forward the packet, it typically drops the packet. 'f the router knows how to forward
the packet, howeer, it changes the destination physical address to that of the ne1t hop and transmits
the packet.
$he e1ample a!oe shows two hosts communicating with each other using three routers !etween
them. 'f the three routers are part of the 'nternet, it will only work this way when !oth hosts hae
alid pu!lic '=#addresses assigned to them.
!etwor" -ddress Translation
/A$, defined in )0C *C8*, allows a host that does not hae a alid registered '= address to
communicate with other hosts through the 'nternet. $he hosts might !e using priate addresses or
addresses assigned to another organization. 'n either case, /A$ allows these addresses that are not
'nternet#ready to continue to !e used and still allows communication with hosts across the 'nternet.
/A$ achiees its goal !y using a alid registered '= address to represent the priate address to the
rest of the 'nternet. $he /A$ function changes the priate '= addresses to pu!licly registered '=
addresses inside each '= packet.
/otice that the router, performing /A$, changes the packet>s source '= address when leaing the
priate organization and the destination address in each packet forwarded !ack into the priate
network. %/etwork +77.*.*.7 is registered in this figure& $he /A$ feature, configured in the router
la!eled /A$, performs the translation.
#.erloading !-T with Port -ddress Translation /P-T0
-ome networks need to hae most, if not all, '= hosts reach the 'nternet. 'f that network uses priate
'= addresses, the /A$ router needs a ery large set of registered '= addresses. 3ith static /A$, for
each priate '= host that needs 'nternet access, you need a pu!licly registered '= address.
.erloading allows /A$ to scale to support many clients with only a few pu!lic '= addresses. $he
key to understanding how oerloading works is to recall how ports are used in $C=9'=.
$he figure !elow details an e1ample that helps make the logic !ehind oerloading more o!ious.
$he top part of the figure shows a network with three different hosts connecting to a we! serer
using $C=. $he !ottom half of the figure shows the same network later in the day, with three $C=
connections from the same client. All si1 connections connect to the serer '= address %*A7.*.*.*&
and 333 port %67, the well#known port for we! serices&. 'n each case, the serer differentiates
!etween the arious connections !ecause their com!ined '= address and port num!ers are unique.
/A$ takes adantage of the fact that the serer really doesn>t care if it has one connection each to
three different hosts or three connections to a single host '= address. -o, to support lots of inside
priate '= addresses with only a few glo!al, pu!licly registered '= addresses, /A$ oerload uses
=ort Address $ranslation %=A$&. 'nstead of Kust translating the '= address, it also translates the port
num!er.
/A$ oerload can use more than C:,777 port num!ers, allowing it to scale well without needing
ery many registered '= addresses, in many cases, like in small .ffice9,ome /etworks, needing
only one.
$aking the deice called a "router" !y most users apart, it contains different components. $he
following figure pictures the different components out. $hese are a hu!9switch, the router and a
D-(9Ca!le modem.
/ow haing a deeper insight in the !asic things the router part of the deice, connecting you to the
'nternet, in your small home network is doing, itLs time to ask the reader of this document a
question 2& 3hat protocol type is used !y the router and what .-'#layer is that protocol running on?
$he answer to this question should !e quite simple for you now. <ecause of the fact, that the router
performs a port and an address translation using /A$ oerload com!ined with =A$ it has to !e
$C=9'=. $his protocol suite works at .-'#layers D and 8, so there has to !e a possi!ility to apply
filter rules.
Applying filter rules can !e done on the interfaces of the router. $hese filter rules can !e applied on
!oth interfaces, the internal and e1ternal. /etwork traffic on the interfaces can occur in two
directions, incoming and outgoing.
/ow haing a deeper insight in what different networking deices are doing and how they work it"s
time to pick up the last topic.
Firewalling
-etting up a firewall seems to !e easy and pretty straightforward for most users. 't"s nothing more
than installing a piece of software, then allowing or !locking network traffic caused !y applications
running on the users computer !y means of a few mouseclicks. /ow the user feels safe !ehind the
nice little !rick wall running on his or her computer.
<efore !eing a!le to understand a discussion of firewalls, it>s important to understand the !asic
principles that make firewalls work.
What is a Firewall?
A firewall is a system or group of systems that enforces an access control policy !etween two or
more networks. $he actual means !y which this is accomplished aries widely, !ut in principle, the
firewall can !e thought of as a pair of mechanisms: one which e1ists to !lock traffic, and the other
which e1ists to permit traffic. -ome firewalls place a greater emphasis on !locking traffic, while
others emphasize permitting traffic. =ro!a!ly the most important thing to recognize a!out a
firewall is that it implements an access control policy. 'f you don>t hae a good idea of what kind of
access you want to allow or to deny, a firewall really won>t help you. 't>s also important to
recognize that the firewall>s configuration, !ecause it is a mechanism for enforcing policy, imposes
its policy on eerything !ehind it.
Why should i want a firewall?
$he 'nternet, like any other society, is plagued with the kind of Kerks who enKoy the electronic
equialent of writing on other people>s walls with spraypaint, tearing their mail!o1es off, or Kust
sitting in the street !lowing their car horns. -ome people try to get real work done oer the
'nternet, and others hae sensitie or proprietary data they must protect. Esually, a firewall>s
purpose is to keep the Kerks out of your network while still letting you get your Ko! done.
What can a firewall (rotect against?
4enerally, firewalls are configured to protect against unauthenticated inter# actie logins from the
MoutsideN world. $his, more than anything, helps preent andals from logging into machines on
your network. More ela!orate firewalls !lock traffic from the outside to the inside, !ut permit users
on the inside to communicate freely with the outside. 3hen it"s a piece of hardware, the firewall can
protect you against any type of network#!orne attack if you unplug it.
What can1t a firewall (rotect against?
0irewalls can>t protect against tunneling oer most application protocols to troKaned or poorly
written clients. $unneling M!adN things oer ,$$=, -M$=, and other protocols is quite simple and
triially demonstrated.
(astly, firewalls can>t protect against !ad things !eing allowed through them. 0or instance, many
$roKan ,orses use the 'nternet )elay Chat %')C& protocol to allow an attacker to control a
compromised internal host from a pu!lic ')C serer. 'f you allow any internal system to connect to
any e1ternal system, then your firewall will proide no protection from this kind of attack.
What are the ,asic ty(es of firewalls?
<asically there are three types of firewalls: /etwork (ayer, Application (ayer and ,y!rid
0irewalls. %)emem!er the A layered .-'#Model?&
A good e1ample for a /etwork (ayer firewall is a router. $his deice is capa!le of e1amining the
packets header and reading out the information contained there.
$he information that can !e filtered on is: $he source '=#Address, source port, destination '=#
Address, destination port and protocol type %$C=,ED= aso&. An Access Control (ist %AC(&,
containing different filter rules, could !e implemented on the internal interface permitting or
denying outgoing traffic !ased on this information.
$he same could !e done on the e1ternal interface permitting or denying the incoming traffic.
Application layer firewalls generally are hosts running pro1y serers, which permit no traffic
directly !etween networks. Application layer firewalls can !e used as network address translators,
since traffic goes in one MsideN and out the other, after haing passed through an application that
effectiely masks the origin of the initiating connection.
Most of you will ask now, pro1y serer, /A$... how can this !e? My computer has only one /'C
!uild in, or only one /'C connected to the switch and router connecting me to the 'nternet, i"e got
only one '=#Address, and this guy is talking a!out traffic !etween networks?? -till there is an
application firewall running on my computer???
$he answer is simple. $he pro1y serer and /A$ are running on the local loop!ack address
%*+A.7.7.*& of the computer you are using. ,ae a look at the routing ta!le used !y your computer,
typing route print in the command line, it should look something like this.
And here is a screenshot of the connections open for 0irefo1 Kust haing refreshed the starting page
of google.de and the firewall running on the computer at my apartment. Gou will see that the
firewall and 0irefo1 !oth are communicating oer the local loop!ack interface of the computer.
Most firewalls now lie some place !etween network layer and application layer firewalls. As
e1pected, network layer firewalls hae !ecome increasingly MawareN of the information going
through them, and application layer firewalls hae !ecome increasingly Mlow leelN and transparent.
What -((lication Ser.ices ha.e to ,e Su((orted?
<efore setting up the firewall on the router or computer, you hae to decide what serices are
needed for the users and computers that are !ehind that firewall. -ome of the most common
serices are listed !elow.
Ser.ice 'efinition
<asic $C= =rotocols 4eneric connected $C= =rotocols, such as ,$$=, =.=8, $elnet, --(,
etc.
.ther ED= 4eneric ED=#-erices such as D/-, /$=, $0$=, 'J5, -/M=, etc.
0$= Control connection on $C= =ort +*, Data on $C= =ort O *7+D
Mail %-M$=& Connect $C= =rotocol on =ort +:
,.8+8 %/etmeeting& ,.8+8 ideo conference protocol oer ED=
)ealAudio %)$-=& )eal#$ime -treaming =rotocol oer ED= or $C=
0or e1ample, a reasona!le list of desired serices for many installations is: D/-, /$=, ,$$=, 0$=,
and $elnet, plus -M$= and =.=8 to the mail serer only. 0or many of us using ')C a MfewN ports
hae to !e opened for this serice too.
0or a full list of serices and the related ports %$C=9ED=& assigned !y the 'A/A %'nternet Assigned
/um!ers Authority& pls. refer to this we!page: http:99www.iana.org9assignments9port#num!ers
What2s a Port?
A MportN is a Mirtual slotN in your $C= and ED= stack that is used to map a connection !etween
two hosts, and also !etween the $C=9ED= layer and the actual applications running on the hosts.
$hey are num!ered 7PC::8:, with the range 7P*7+8 !eing marked as MreseredN or MpriilegedN,
and the rest %*7+DPC::8:& as MdynamicN or MunpriilegedN.
$here are !asically two uses for ports:
M(isteningN on a port.
$his is used !y serer applications waiting for users to connect, to get to some Mwell known
sericeN, for instance ,$$= %$C= port 67&, $elnet %$C= port +8&, D/- %ED= and sometimes $C=
port :8&.
.pening a MdynamicN port.
<oth sides of a $C= connection need to !e identified !y '= addresses and port num!ers. ,ence,
when you want to MconnectN to a serer process, your end of the communications channel also
needs a MportN. $his is done !y choosing a port a!oe *7+D on your machine that is not currently in
use !y another communications channel, and using it as the MsenderN in the new connection.
Dynamic ports may also !e used as MlisteningN ports in some applications, most nota!ly 0$=, and
for us this one is true for DCC too. =orts in the range 7P*7+8 are almost always serer ports. =orts
in the range *7+DPC::8: are usually dynamic ports %i.e., opened dynamically when you connect to a
serer port&. ,oweer, any port may !e used as a serer port, and any port may !e used as an
MoutgoingN port.
-o, to sum it up, here>s what happens in a !asic connection %scroll !ack to the oerloading /A$
with =A$ and hae another look at the 8 =CLs connecting to one serer to hae a picture of it&:
At some point in time, a serer application on host *A7.*.*.* decides to MlistenN at port 67 %,$$=&
for new connections.
Gou %*7.*.*.8& want to surf to *A7.*.*.*, port 67, and your !rowser issues a connect call to it.
$he connect call, realising that it doesn>t yet hae a local port num!er, goes hunting for one. $he
local port num!er is necessary since when the replies come !ack some time in the future, your
$C=9'= stack will hae to know to what application to pass the reply. 't does this !y remem!ering
what application uses which local port num!er. %$his is ery, ery much simplified, no flames from
$C=9'= e1perts and programmers, please.&
Gour $C= stack finds an unused dynamic port, usually somewhere a!oe *7+D. (et>s assume that it
finds *788.
Gour first packet is then sent, from your local '=, *7.*.*.8, port *788, to *A7.*.*.*, port 67.
$he serer responds with a packet from *A7.*.*.*, port 67, to you, *7.*.*.8, port *788.
$his procedure is actually much longer than this, !ut it points out the !asics of your computer
contacting the ,$$=#serice running on *A7.*.*.*, MlisteningN on port 67.
What are %istening Ports ?
-uppose you did Mnetstat #aN on your machine and ports *7+: and *787 showed up as ('-$5/ing.
3hat do they do? )ight, let>s take a look in the assigned port num!ers list.
!lackKack *7+:9tcp network !lackKack
iad* *7879tcp <</ 'AD
3ait, what>s happening? ,as my workstation stolen my F'-A num!er and decided to go play
!lackKack with some rogue serer on the internet? And what>s that software that <</ has installed?
$his is /.$ where you start panicking. 'n fact, this question has !een asked may!e a gazillion
times, and eery time it>s !een answered. /ot that $,A$ keeps people from asking the same
question again.
'f you are asking this question, you are most likely using a windows !o1. $he ports you are seeing
are %most likely& two listening ports that the )=C su!system opens when it starts up.
$his is an e1ample of where dynamicly assigned ports may !e used !y serer processes.
Applications using )=C will later on connect to port *8: %the net!ios MportmapperN& to query where
to find some )=C serice, and get an answer !ack saying that that particular serice may !e
contacted on port *7+:.
/ow, how do we know this, since there>s no MlistN descri!ing these ports? -imple: $here>s no
su!stitute for e1perience. And using the mailing list search engines also helps a hell of a lot.
+ow do i deter&ine what Ser.ice the Port is for?
-ince it is impossi!le to learn what port does what !y looking in a list, how do i do it?
$he old hands#on way of doing it is !y shutting down nearly eery serice9daemon running on your
machine, doing netstat #a and taking note of what ports are open. $here shouldn>t !e ery many
listening ones. $hen you start turning all the serices on, one !y one, and take note of what new
ports show up in your netstat output.
Another way, that needs more guess work, is simply telnetting to the ports and see what comes out.
'f nothing comes out, try typing some gi!!erish and slamming 5nter a few times, and see if
something turns up. 'f you get !inary gar!le, or nothing at all, this o!iously won>t help you. :#&
,oweer, this will only tell you what listening ports are used. 't won>t tell you a!out dynamically
opened ports that may !e opened later on !y these applications.
$here are a few applications that might help you track down the ports used. .n Eni1 systems,
there>s a nice utility called lsof that comes preinstalled on many systems. 't will show you all open
port num!ers and the names of the applications that are using them. $his means that it might show
you a lot of locally opened files as well as $C=9'= sockets. )ead the help te1t. :#&
.n windows systems, nothing comes preinstalled to assist you in this task. %3hat>s new?& $here>s a
utility called M'nziderN which installs itself inside the windows sockets layer and dynamically
remem!ers which process opens which port. $he draw!ack of this approach is that it can>t tell you
what ports were opened !efore inzider started, !ut it>s the !est that you>ll get on windows %to my
knowledge&. http:99ntsecurity.nu9tool!o19inzider9
What Ports are safe to (ass through a Firewall?
A((.
/o, wait, /./5.
/o, wait, uuhhh... '>e heard that all ports a!oe *7+D are safe since they>re only dynamic??
/o. )eally. Gou CA//.$ tell what ports are safe simply !y looking at its num!er, simply !ecause
that is really all it is. A num!er. Gou can>t mount an attack through a *C#!it num!er.
$he security of a MportN depends on what application you>ll reach through that port.
A common misconception is that ports +: %-M$=& and 67 %,$$=& are safe to pass through a
firewall. QmeepQ 3)./4. ;ust !ecause eeryone is doing it doesn>t mean that it is safe.
Again, the security of a port depends on what application you>ll reach through that port.
'f you>re running a well#written we! serer, that is designed from the ground up to !e secure, you
can pro!a!ly feel reasona!ly assured that it>s safe to let outside people access it through port 67.
.therwise, you CA/>$.
$he same it true for MinsideN users isiting a compromised we!site on port 67 %,$$=&. $his we!site
will send you the irus, or other /.$ wanted data, to the application that requested this data on the
MdynamicallyN assigned port on the local computer.
$he pro!lem here is not in the network layer. 't>s in how the application processes the data that it
receies. $his data may !e receied through port 67, port CCC, a serial line, floppy or through
singing telegram. 'f the application is not safe, it does not matter how the data gets to it. $he
application data is where the real danger lies.
'f you are interested in the security of your application, go su!scri!e to !ugtraq
http:99www.securityfocus.com or try searching their archies.
$his is more of an application security issue rather than a firewall security issue. .ne could argue
that a firewall should stop all possi!le attacks, !ut with the num!er of new network protocols, /.$
designed with security in mind, and networked applications, neither designed with security in mind,
it !ecomes impossi!le for a firewall to protect against all data#drien attacks.
+ow do &ost 3&odern4 a((lication Firewalls wor"?
After haing installed an application 0irewall on your computer this piece of software, that we
know now, is a pro1y#serer performing /A$9=A$ on the local loop!ack interface of the computer,
normally has only one single filter rule.
'eny Any#Direction Any#(ocal#'= Any#(ocal#=ort Any#)emote#'= Any#)emote#=ort
$his means, that the 0irewall will D5/G all traffic from all local =orts, all local '=Ls to any remote
'=Ls and any remote =orts %=rotocols9-erices& and isa ersa. $hus letting no traffic out of the
computer nor letting any traffic into the machine. $his '- pretty sae? 'sn"t it?
3hen you start your 3e! <rowser, let"s say this one is Mozilla 0irefo1, located at Mc:RApplication
DirectoryRfirefo1.e1eN, this application will try to reach the starting page, for e1ample
www.google.com, you use on the 'nternet on port 67. 3hat happens? $he firewall will ask you if
you want to permit or deny traffic from this application and if the filter rule, thatLs going to !e
created, should !e remem!ered or not. Gou D. want to surf the we! of course, now clicking on
=ermit and )emem!er this )ule, neer ask me again. <ingoIII... youLr online, you are a!le to surf
the we!, you can go eerywhere you want to :#&
..J. a new filter rule has !een created on the firewall. ,ow does that one look like?
<ecause of the fact that the application firewall doesLt know anything a!out ports, protocols, '=#
addresses and directions that are required for this connection, the set of filter rules running on the
firewall will now look like this.
Per&it Any#Direction Any Any Any Any Mc:RApplication DirectoryRfirefo1.e1eN MD:#Checksum
'eny Any#Direction Any#(ocal#'= Any#(ocal#=ort Any#)emote#'= Any#)emote#=ort
III Ges, D. reread that Per&itRule a few times III And, G5-, think that one oer III
$his filter rule permits the application firefo1.e1e, located in the MApplication DirectoryN on the
hard disk la!elled c:R, to send data from any local port and '=#address to any remote '=#Address
and to any remote port.
$his part of the filter rule allows the 333#<rowser to send a request for data %outgoing '=#traffic&
from a local %dynamically assigned O*7+D& port %this is still what we like to hae& to any remote
host %thatLs o.k. too www.google.com and www.cisco.com will hae a different '=#addresses&
regardless to the port %serice& that is requested. And this isn"t what we like to haeII $he requested
serice was ,$$=, so the port#num!er the remote host is listening on is 67. $he only outgoing '=#
traffic we need, in this case, will go to port 67.
$he '=#traffic that is send !ack will come from the remote host, haing the source port 67, and
haing our dynamically assigned local port and the e1ternal '=#address of our router, as destination.
$his traffic will !e handled !y the /A$9=A$ part of the router, and firewall, passing it to the port
the application that requested it is listening on.
't also allows this application to receie data from any remote '=#address and any remote port to
any local '=#Address and any local port.
$his would only !e needed if the application, in this case firefo1.e1e, is listening on a certain port,
running a serer#serice. -o this part of the filter rule is not needed at all.
$he MD:#Checksum is a so called Mhash#alueN that is calculated on the !asis of the current MstateN
of the application. $his alue looks something like this: MA55A6SAAC+S86+<E6SJ+8DCN, and this
alue is specific for any application running on your computer.
$he first thing you are protected from is, an MattackerN changing a part of the application and this
causing the MD:#Checksum to change.%,ae you eer wondered why the firewall isn"t asking you
to create a new filter rule after loading a new script#file into your m')C?&
$he firewall will ask you if the changed application, still haing the same name and still located at
the same place on the hard disk, should !e allowed to connect to the internet in the future.
Most users will think that this is o.k., !ecause they donLt e1actly know what was the cause, and will
allow the application, now running some mallware too, to connect to the internet in the future. $he
piece of mallware could now use A/G remote port it wantLs, connecting to A/G remote '=#
Address, receiing data on A/G local port and '=#Address.
$he second thing you are protected from is: an MattackerN installing a new application that tries to
connect to the internet. 'f that application tries to do so, the firewall will ask you if that application
should !e allowed to do so or not.
$he third thing that the firewall is protecting you from is: an MattackerN trying to connect to an
application that has no entry in the filter rules list that the firewall is working with. Cause of the fact
that the firewall still has his last rule: Deny anything else coming in or going out of the machine that
i do /.$ know of, and9or gie the user a warning if Kust this happens.
Ser.ices, Portnu&,er, Ty(e, 'irection o.er.iew
$his is only a short oeriew of the most common serices used !y most of the people using a
computer connecting them to the internet, the protocol#type, and the direction that should !e opened
in the firewall running on the computer used for that.
Ser.ice Portnu&,er Ty(e 'irection, Inco&ing #utgoing
D/- :8 ED= ?
,$$=9,$$=- 679DD8 $C= ?
0$= +79+* $C=9ED= ?
$5(/5$ +8 $C=9ED= ?
=.=8 **7 $C= ?
-M$= +: $C= ?
')CE CCC:#CCCS9A777 $C=9ED= ?
'D5/$ **8 $C= ?
=riate 0ile -erice :S $C=9ED= ? ?
//$= **S $C=9ED= ?
/$= *+8 $C=9ED= ?
)emote Desktop 88S6 $C=9ED= ? ?
A complete list of ports registered at the 'A/A can !e found here:
http:99www.iana.org9assignments9port#num!ers
$he ports for Mincoming trafficN should ./(G then !e opened if G.E) computer has to proide
this particular serice.
0or e1ample: 'f your using your 3e!#<rowser to connect to the internet and to download files
using 0$=, you should allow outgoing traffic, $C=9ED= on port +7,+* and $C= on port 67 and DD8
for this particular application only.
0or your 5#Mail client you should allow outgoing traffic, $C= only on port +: and **7, allowing
you to send and receie 5#Mails.
(ast !ut not least, here are three useful links for people haing pro!lems with DCC and m')C:
http:99www.irc!eginner.com9ircinfo9dcc#trou!le.html
http:99www.mirc.org9dcchelp.html
http:99www.mircscripts.org9showdoc.php?typeTtutorialUidT+8::