8

Can anyone confirm that using a persistent outgoing TCP connection on port 80 will not be blocked by the vast majority of consumer firewalls?

That has been assumption based on the fact that HTTP runs over TCP, but of course it is theoretically possible to analyze the packets. Question is do most CONSUMER firewalls do this or not?

Jamona Mican
  • 1,574
  • 1
  • 23
  • 54
  • 1
    Yes, there are quite a few things that do minimal packet analysis. Firewalls aren't the only issue either: proxies also filter things. – Mat May 16 '12 at 08:05

3 Answers3

4

The feature is called ALG, Application Layer Gateway. This is where the firewall is aware of and perhaps even participates in an application protocol

There are two main reasons a firewall may do this:

  • Protocol support, in order to support the protocol it is necessary to snoop/participate, e.g. opening up additional ports for non passive FTP or media ports for SIP+SDP
  • Additional security, an ALG may function as a transparent proxy and filter protocol commands and actions to enforce policy. E.g. preventing the HTTP CONNECT method

ALGs have been a common feature of stateful firewalls for many years, though often the source of instability.

For security proscriptive environments expect HTTP to be validated and filtered either by a firewall or other dedicated policy enforcement appliance.

Residential broadband routers do not tend to have advanced firewall features. I would be surprised to find any with HTTP validation / filtering on port 80.

Personal software firewalls come in two flavours, basic and advanced. Most consumers will have a basic one that probably comes with their operating system and will not do any HTTP validation / filtering.

However, there is a rising trend in antivirus product differentiation of advanced internet content filtering for threat protection, there is significant possibility these may filter HTTP activity (but is difficult to determine with certainty from their Feature Lists).

MattH
  • 37,273
  • 11
  • 82
  • 84
  • 1
    Do consumer firewalls do this? I'm trying to get a feel of whether port80 non-HTTP outgoing traffic is blocked for the majority of people, not whether it's technically possible to block it. – Jamona Mican May 16 '12 at 08:28
  • What do you mean by "consumer firewalls"? Residential broadband routers? Personal software firewalls? – MattH May 16 '12 at 08:44
  • 1
    Yep, both of those. As in firewalls not run by companies. – Jamona Mican May 16 '12 at 08:46
  • Accepted since only answer to address non-corporate situations, which is what I meant as 'consumer' in the question. Cheers... – Jamona Mican May 16 '12 at 09:27
  • You're welcome. When you mention *Firewall*, it is synonymous with *Dedicated Hardware Firewall* in my mind and perhaps those of others. I'm not used to the term *Consumer Firewall* and do not immediately associate it with *Residential Broadband Router* or *Personal Software Firewall*. – MattH May 16 '12 at 09:36
  • @Pacerier: yep when I said _most consumers will have a basic one that comes with their operating system_ I was referring to things like Windows Firewall, which may have had improvements in the 5 years since. – MattH Mar 22 '17 at 12:03
  • @MattH, Does "preventing the HTTP CONNECT" prevent users to use https websites? – Pacerier Oct 24 '17 at 00:00
  • @Pacerier If the browser is trying to use a proxy for HTTPS, the CONNECT method is used to request that the TCP session be connected to the IP and port pair. The proxy may also restrict the IP and/or port numbers that it will connect to. But yes, denying CONNECT will prevent the proxy from being used for SSL – MattH Oct 24 '17 at 09:58
2

It's almost impossible to answer this question with anything other than "it depends".

Most leading firewall vendor solutions will do this through their configuration.

You will find paranoid organisations (financial, government, military, gambling etc) will typically have such application intelligence enabled. They will detect the traffic as not valid HTTP and so block it for both security and performance reasons.

This type of feature is (these days) typically turned on by default and as you know, most people don't change a default configuration after the vendor or consultant has left.

However, some companies, where the techies don't understand or they have no power in the decision-making, will turn such application intelligence off because it interferes with business, i.e. internal apps or external apps (running on the LAN and connecting back), developed as bespoke solutions, work over TCP port 80 (hey, it's always open) and are non-http.

You don't just have to worry about firewalls though, most companies run internal proxy servers for outgoing traffic and these typically now only allow valid HTTP on port 80 and their configuration isn't changed as a proxy server is usually requested by the infrastructure and security teams and they don't want non-http over port 80. Additionally, there's also load balancers and they're typically configured for HTTP on port 80, for a variety of reasons such as content switching, rewrites, load-balancing and security.

To summarise, in my experience, that'd be a yes but I haven't worked a lot with SMEs, primarily larger corporates.

Mark Hillick
  • 6,853
  • 1
  • 19
  • 23
0

port 80 is blocked by many firewalls for example you have to add exceptions like i allow Skype or msn messenger to use port 80 for out going traffic

awais
  • 11
  • 3