Firewall & Port Questions

On 8 Nov 2004 07:43:45 -0800, Jason Turner spoketh

You need to allow outbound access on ports 80/tcp and 443/tcp for web browsing, and also port 53/udp for DNS lookups.

Lars M. Hansen

Remove "bad" from my e-mail address to contact me. "If you try to fail, and succeed, which have you done?"

If web = http:

It depends! you may need tcp port 80 (some web servers do not use the assigned port 80, which mean you may have to allow ... any port if you want to surf test/non standard servers) and udp+tcp port 53 (probably only to your isp's dns server, for name resolution) if you surf directly (no proxy). If you're using a proxy, you'll need to allow the proxy port (could be tcp 8080) to your provider's proxy.

These are outbound traffic, make sure you also allow back traffic (from the servers to you)

here is a link for all of Micro$oft's products

That'a great ref. Much thanks!

Re DNS per wikipedia:

"The DNS uses TCP and UDP ports 53 to serve requests. Almost all DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. TCP is typically used only when the response data size exceeds 512 bytes, or for such tasks as AXFR [entire zone transfers]."

From what I've read, Windows nameservers will switch to TCP on a LAN.

-Gary

My view on this always has been to block all non-standard ports, and open when required AND JUSTIFIED. Depends on your business rules and politics. You could also have an internal cache DNS running on a cheap Linux box and allow ONLY THIS BOX to use 53/udp. Some firewalls also can act as a cache DNS.

JF