How does the HTTP protocol work with ports?

[bubba]

OK, HTTP uses port 80 to negotiate a connection. I was told that it then will negotiate a connection for a high (>1024) port to actually do the data transfer on. Is this true? Or is all data sent and received through port 80 itself?

I was told that this is one of the reasons why you can't just block off any old ports > 1024

 

[spidey07]

That is incorrect. When you pull up a web page you are talking to port 80 on the server. Frames look like this:
FRAME1
SA=source address
DA=destination address
SP=souce port
DP=destination port

FRAME2
SA=myip, DA=webserver
SP=client port >1024, DP=80
Hey web server...wanna talk?

FRAME3
SA=webserver, DA=myip
SP=80, DP=clientport
Sure thing client, here's my sequence mumber

FRAME4
SA=myip, DA=webserver
SP=^^^clientport, DP=80
ACK SEQ#+1, SEQ=X

-----End of three way handshake, TCP connection is now open-----
FRAME5
SA=myip, DA=webserver
SP=clientport, DP=80
Hey server give me webpage.

FRAME6
SA=webserver, DA=myip
SP=80, DP=clientport
Here's the first datagram for the web page..

and so on and so forth.

My big long explanation is that a TCP connection consists of two sockets (myip:clientport, webserver:80) the connection occurs between these socket pairs.

hope that explains it

 

[bubba]

OK, let's see if I got it... So the server transmits on port 80 and the client receives on a high numbered port? So that seems to me to be a reason why you can't block off all high ports on the router, or you would block off HTTP for the clients.

Do I have something backwards?

 

[spidey07]

When you block ports on a router or firewall you have to specify source or destination. TCP header contains them both. You have to draw the distinction between inbound and outbound which is why I included the half-assed packet trace above from memory.

You are close to correct:
Server transmits to client with source port of 80, dest port of >1024
Client transmits fo server with source port of >1024, dest port of 80.

myip:2000 <-----> webserver:80
-----> deny any dest port <> 80
<----- deny any src port <> 80

catch my drift? Most firewalls handle this intelligenty by recognizing responses to requests. What product are you trying to figure out?

royster

 

[bubba]

I was just trying to argue why it is silly to just randomly block ports > 1024 at the firewall that have higher traffic, assuming that they are napster. It seems silly, because napster will just hop to another open port, so eventually you would have to block off all ports > 1024. If one did this, you would block off HTTP, and many other things.