I am new to TCP/IP and trying hard to learn basics. Well, I really wonder about inbound rules and outbound rules of firewall and concept of source address port, destination address port.
For example, I am investigating port 80. I know that Http uses port 80. But when I try to listen the traffic I see that my browser doesn't use port 80. As you see from the image only destination port 80 is used and "destination" should be the server that hosts web pages. And also there is no used port 80 on source port, "source" should be my computer.
My browser uses some other ports as a source and goes to the server port 80. From that, I understand that port 80 of my computer is not used for Http, only server computers that host the web pages use port 80 but if I close port 80 of my computer from outbound rules the internet doesn't work. But as I understood before from the image, port 80 is not used on my computer.
Really confused. Can anybody clarify it for me?
Best Answer
OK, so let's dive into the details of IPv4. Each IP packet has a source IP address and port and a destination IP address and port. An IP address is for the whole computer, so the IP address is enough to bring a packet from computer A to computer B. If you have two services running on one computer like eMail and Webserver the IP packets need to reach the right service. The selection of the right service is done based on the ports.
If a client wants to connect to a server like a webserver or a mail server, then the client needs to know the IP address of the server. In a web browser you enter the DNS name or the IP address of the server. In a mail client it was also you that entered the name of the mail server. So when the client wants to connect to the server, the only thing missing is the port. To make that easy, there are standards that define which port is used/reserved for which service. For http for example port 80 is reserved. A webserver is only listening on port 80 but ignoring any other ports.
If you want to, you can configure a webserver to listen to any port you want, it could also for example be port 12345. But then clients would need to enter
http://ip:12345/so the web browser knows on which port to contact the webserver. Just givinghttp://ip/would be a short cut forhttp://ip:80/.So as you have seen, the server is working on a well defined port, he is receiving packets sent to destination=server-ip:server-port and sending packets with source=server-ip:server-port. On the cient side the operating system is opening a new socket for each new connection and assigning a unique (not yet used) port to the socket. Which port is used is not relevant. The client is the one who is initiating a connection, he sends packets with source=client-ip:client-port to the server. The server can look at the packet's source and now knows who is connecting him and where he shall send back the answers.
Each quadruple server-ip:server-port:client-ip:client-port uniquely identifies a connection.
Clients view connections as outgoing, servers view them as incoming. Firewalls can have outbound rules (sending packets) and they can have inbound rules (receiving packets). If you want to block http connections from/to your computer, the only thing you know is the port that the server is using. So when you want to block web browsers on your computer, then you must define a deny outbound firewall rule for destination=port 80. If you want to block other computers so they can't connect a web server that you are running on your computer, then you must define a deny inbound firewall rule for destination=port 80.
Some more stuff you didn't ask for: