June 20th, 2002, 11:49 PM
ZoneAlarm -- UDP port requests
I have reciently installed ZoneAlarm (today) and while setting it up I'm trying to cut out all ports possible so I only allow the necissary ports that allow for connection/transfer. In doing that I was working on setting IE only for port 80 and FTP 21... I had that set up but it's asking for all these weird UDP ports EG: 3443 3446 3449 3452 3455 3458 3461 3464 3467 3470 3473 3476 3479 3482 3485 3488 3491 3494 3497 3500 3503 3506 3509 3512 3515 3518 3521 3524 3527 3530... well you notice a pattern as I did when writting them down... I had to close and open IE every time to get a new error... I should only need port 80 right? Why does it try to make me open these UDP ports? If anyone knows the reason why it's doing that please, I'd appreciate the help. I tried to set it up in the security settings to have it run through a local proxy port 80 at 127.0.0.1 but it didnt work. I might have the wrong idea but it's the direction I'm going right now. Thanks for the help!
June 20th, 2002, 11:58 PM
IE runs on port 80 and can run on a couple others too but look at what other programs you have running in the back ground that require an internet connection? even ZA uses several different ports to run.
June 21st, 2002, 12:19 AM
that isnt when I'm getting the messages. I start IE and www.google.com is my homepage... It starts to open and boom message UDP XXXX is blocked and it wont go anywhere... I allow all and it'll let me get there. I figure then since I dont get the message when it's online and just 'chillin' its IE (good asumption dont you think?) Well now I dont know why I cant reroute it through just 80
June 21st, 2002, 12:22 AM
When listing ports, it's often helpful to include both ends of the transmission... often, anything over 1024 it's sufficient to think "high port" and anything below as "low port." Typically, "high port to high port" is some random user application dialog whereas "high port to low port" is typically a user client talking to a server process elsewhere. Things like web, dns and a few others are pretty much "high port to low port" -- things like FTP throw in a few curve balls and have a lot of "high to low" and "low to high" and even some "high to high."
I know... all I probably did here was to confuse a whole lot of people with these generalizations.
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
June 21st, 2002, 12:24 AM
It could be that your computer is making DNS requests and those are the UDP source ports. Without a more detailed explanation of what Zone Alarm is saying, I can't be sure.
June 21st, 2002, 12:35 AM
OK, my understanding of what I think is going on... it will send for the information on any random port over 1024 and it will either recieve it back on 80 or just another random port. My understanding might be flawed (tell me so if its wrong) but if right I am trying to make it only go through 80 so as to only allow transmission through 80
June 21st, 2002, 01:59 PM
In almost all TCP/IP traffic, the return port (dst prt from server or src prt from client) will always be > 1024; however, any firewall worth its salt will recognize that an outbound connection was made and expect return traffic on the port that was specified (and also at same time recognize if someone is trying to inject false traffic).
It has always been my understanding (and it may be incorrect) that the reason why all return traffic is on ports > 1024 is that on all unix systems, ports 0-1023 are special reserved ports that must have a root privelaged daemon running to accept the connection (otherwise the program shouldn't be permitted to open the socket for the connection). So to have a source port of 80 and a dest port of 80 should never happen, period (and might even cause the traffic to be stopped by security devices on the other end of the stream).
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
June 21st, 2002, 02:48 PM
port 80 is the port a web-server-listens on. you'll receive replys on the first available port over 1024. these connections stay listening for a while so your next request will be received on the next higher port available.
The UDP requests are to a name server, if you were to type in a ip address, instead you wont get a warning from zone alarm. IE does not listen on port 80
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
June 21st, 2002, 04:09 PM
u using IE, and it is a client program which is not supposed to work on predefined
service ports. check out the ports 1-1024 generally reserverd ports not restricted but reseved for server side applications 21=ftp server, 23=telnet server, 56=dns (each service port may have UDP port and Stream port see sockets implementation). port is an end communication point used to define standards (how else would u know on which port web server runs if u wouldn't know it's 80, where would u connect to ?).
client applications do not have predefined ports since they do not listen on certain ports for a connection but connect themselfs to the standard predefined ports (ports generally assigned to a client application by the system and go from 1024 up see ports and sockets implementation conventions).
close ur ZA connect to several sites using IE and in dos mode run "netstat or netstat -an"
u will see the ports + ip used on ur side and on the other.
UDP ports as was said before in ur case r used for DNS queries ad it's not server ports but client ports. when u have an allert check out which application tried to use it.
in any case if u r so suspicios just download good trojan scaner and port scaner and just check which ports on ur computer are listening (before doing it shutdown ur ZA).
June 21st, 2002, 04:40 PM
well I'm just trying to eliminate all unnecessary ports. When I get all those UDP blocked messages it's telling me I cant connect somewhere using IE. I have set up programs that I allow access and now I'm just 'fine tuning' them and I dont know how to avoid "allow all" for the ports and services option. If there is a way please tell me. Thanks