Do firewalls block non-HTTP traffic on port 80?

2019-06-16 19:13发布

问题:

Can anyone confirm that using a persistent outgoing TCP connection on port 80 will not be blocked by the vast majority of consumer firewalls?

That has been assumption based on the fact that HTTP runs over TCP, but of course it is theoretically possible to analyze the packets. Question is do most CONSUMER firewalls do this or not?

回答1:

The feature is called ALG, Application Layer Gateway. This is where the firewall is aware of and perhaps even participates in an application protocol

There are two main reasons a firewall may do this:

  • Protocol support, in order to support the protocol it is necessary to snoop/participate, e.g. opening up additional ports for non passive FTP or media ports for SIP+SDP
  • Additional security, an ALG may function as a transparent proxy and filter protocol commands and actions to enforce policy. E.g. preventing the HTTP CONNECT method

ALGs have been a common feature of stateful firewalls for many years, though often the source of instability.

For security proscriptive environments expect HTTP to be validated and filtered either by a firewall or other dedicated policy enforcement appliance.


Residential broadband routers do not tend to have advanced firewall features. I would be surprised to find any with HTTP validation / filtering on port 80.

Personal software firewalls come in two flavours, basic and advanced. Most consumers will have a basic one that probably comes with their operating system and will not do any HTTP validation / filtering.

However, there is a rising trend in antivirus product differentiation of advanced internet content filtering for threat protection, there is significant possibility these may filter HTTP activity (but is difficult to determine with certainty from their Feature Lists).



回答2:

It's almost impossible to answer this question with anything other than "it depends".

Most leading firewall vendor solutions will do this through their configuration.

You will find paranoid organisations (financial, government, military, gambling etc) will typically have such application intelligence enabled. They will detect the traffic as not valid HTTP and so block it for both security and performance reasons.

This type of feature is (these days) typically turned on by default and as you know, most people don't change a default configuration after the vendor or consultant has left.

However, some companies, where the techies don't understand or they have no power in the decision-making, will turn such application intelligence off because it interferes with business, i.e. internal apps or external apps (running on the LAN and connecting back), developed as bespoke solutions, work over TCP port 80 (hey, it's always open) and are non-http.

You don't just have to worry about firewalls though, most companies run internal proxy servers for outgoing traffic and these typically now only allow valid HTTP on port 80 and their configuration isn't changed as a proxy server is usually requested by the infrastructure and security teams and they don't want non-http over port 80. Additionally, there's also load balancers and they're typically configured for HTTP on port 80, for a variety of reasons such as content switching, rewrites, load-balancing and security.

To summarise, in my experience, that'd be a yes but I haven't worked a lot with SMEs, primarily larger corporates.



回答3:

port 80 is blocked by many firewalls for example you have to add exceptions like i allow Skype or msn messenger to use port 80 for out going traffic