I agree with Scott with this caveat...some firewalls will lock down the outbound >1024 to prevent application hijacking. So in these cases you have to allow the apps outbound privileges.
Eric S ----- Original Message ----- From: "Scott Perry" <[EMAIL PROTECTED]> To: <IMail_Forum@list.ipswitch.com> Sent: Friday, February 25, 2005 10:03 AM Subject: Re: [IMail Forum] Windows TCP/IP Filtering > > >I believe you need to open the ports above 1025 to initiate the outgoing > >connections. > >I am sure someone will correct me if I am wrong :-). > > This is a fairly common misconception. > > You *NEVER* need to (or should!) specify in a firewall (hardware or > software) that ports above 1025 need to be open. > > The longer answer is that yes, ports above 1025 are used. But they are > used in a way that the firewall doesn't need to be concerned about > them. Each TCP/IP connection has a client side and a server side. Only > the port on the server side needs to be analyzed (the one the client is > connecting to), as that port helps determine what the traffic is (SMTP? > DNS? HTTP?) . The port on the client side has no connection to the type of > traffic, and blocking any port(s) on the client side will either have [1] > no effect (if the port(s) aren't ones that are used by the client, such as > 5000+ by default on Windows), [2] have a seemingly random effect (blocking > anywhere from about 1/10 of a percent of traffic or more, depending on how > many ports are blocked), or [3] would block all traffic. None is desired > by the administrator of a firewall. Therefore, every firewall should > automatically allow such traffic through. > > Of course, there is a *SERIOUS* drawback to opening all ports above > 1025: It defeats the whole purpose of the firewall. The purpose of the > firewall is to block unnecessary traffic, but now you're allowing it. That > means that all of a sudden those trojan horses sitting on computers behind > the firewall can be accessed by the hackers who installed them (via E-mail > or web vulnerabilities, perhaps), and the hackers now have full access to > your network. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
