how do firewall rules apply to internal-internal connections

Could someone tell me in general how Firewall rules are applied to connections between two processes running on the same machine? Is this a separate case, or is it just the same as with connections between different machines?

The case that got me wondering about this question is this: I use Thunderbird (Mozilla email app) and with it an add-on that lets you load webmail (like mail.aim.com) as if it were a pop server instead of an http server. This addon starts a separate process which listens on port 25 (actiing as a pop server) and responds to requests by fetching mail from the web site and returning it to Thunderbird through the connection opened on port 25.

So the transaction (I imagine) goes like this.

Thunderbird starts
Thunderbird launches the webmail add-on
webmail add-on starts listening on port 25
Thunderbird (checking mail) opens connection to local port 25
webmail add-on opens http connection to mail.aim.com at whatever address and port (port 80?)
webmail add-on receives email info through this connection
thunderbird receives email info through local port 25 connection

In this context, my question is, do firewall rules for port 25 apply to the local port 25 connection between Thunderbird and the webmail addon?

Sorry if that’s a silly question, I’m still learning.

Thanks again.

Don’t use the webmail add-on, so don’t know the specifics. Have you made all this work without CFP3 installed? Internal connections are made via localhost, usually IP 127.0.0.1. Firewall rules are made for applications, so if webmail intercepts TB connections on port 25, it may be a proxy and use something like 11025 so as to avoid interference? You also need to make sure that your rules apply to localhost. And webmail may need separate rules, although Firefox add-ons usually use the Firefox rules. You can tell quite a bit by going to active connections and seeing who is listening on what port at what address.
As far as your scenario, port 25 is an smtp port and sends mail, not receives it. When TB sends an email, webmail should intercept it via localhost, do whatever processing is necessary, and send it out on to port 80. And send back the proper responses to TB.
So: Do you actually use ports 110 and 25 in TB and the real URLs of your POP/SMTP mail servers? Or address webmail as a proxy with proxy ports and localhost addresses?

Yes.

I’ve decided to reinstall XP from scratch (I’m pretty sure I’m compromised) and I’m trying to answer any questions beforehand to minimize the amount of flail involved. I’m using McAfee at the moment but it has major issues with Thunderbird (it works, but gets very slow as inbox file sizes grow) so I’m planning on Comodo when I reinstall. Plus Comodo reveals the detailed info I want (unlike McAfee which hides all that) and McAfee support … could be better, as opposed to the support here which has been great.

Firewall rules are made for applications, so if webmail intercepts TB connections on port 25, it may be a proxy and use something like 11025 so as to avoid interference?

You can set up the webmail add-on to use port numbers of your choice, although I haven’t tried it with anything other than 25 + 110 + 143.

You also need to make sure that your rules apply to localhost.

General question: how many of a particular port does one machine have (like how many of port 25)? I’d guess one per network adapter (in my case, one for my LAN adapter and one for my dialup PPP connection) plus one for localhost?

And webmail may need separate rules, although Firefox add-ons usually use the Firefox rules. You can tell quite a bit by going to active connections and seeing who is listening on what port at what address.

Here’s a screenshot


showing what happens when I check mail for one of my AIM accounts. The only thing that changes is the connection from aurora:12306 to localhost:pop3, and from aurora:pop3 to aurora:0. After the check completes, those two connections perish and disappear. This is after I’ve already checked all my accounts when Thunderbird launched; it looks like the re-check reuses established http connections to aol from that initial check when Thunderbird started.

As far as your scenario, port 25 is an smtp port and sends mail, not receives it. When TB sends an email, webmail should intercept it via localhost, do whatever processing is necessary, and send it out on to port 80. And send back the proper responses to TB.

Also, in general, are connections typically two-way? When Thunderbird opens a connection to some port 110, does it both send and receive data – over that one connection? (I’ve been assuming yes, should double-check that …) (I understand send and receiving mail occur over two different ports.)

So: Do you actually use ports 110 and 25 in TB and the real URLs of your POP/SMTP mail servers? Or address webmail as a proxy with proxy ports and localhost addresses?

I think the former, using ports 110 and 25 with the ability to tell it to use different ones (the screenshot below is the Webmail options window). As far as the real URL, in Thunderbird the account type is set specifically to use the Webmail add-on (Webmail adds a new radio button to Thunderbird’s list of possible account types when you’re creating the account, so if you have an account you want to use the Webmail add-on with, you specifically create it as a Webmail-type account in Thunderbird) in which case Webmail itself knows what http URL to use to access the web mail’s site (with no way for an end user to redefine that that I can see).

Connections are two way in the sense that tcp is. If you establish any tcp connection, you can send data in both directions. But generally you can’t send and receive email on the same port without interference, just send or receive and return the appropriate status information. You also show encrypted imap coming in (port 993)-what is that? Often imap can be used without any special addon to get mail from a webmail server-I check the spam folder at my ISP that way to avoid the webmail logon. And each IP has a single instance of the same port, but you can be 0.0.0.0 as well as localhost. So when you get reinstalled:
You can set up CFP3 to training mode, move the slider at firewall behavior settings to high and let CFP3 make the rules for you, and take a look at them.
Although another question: why are you using webmail to pop instead of just imap?

I have one gmail account set up as imap (and several other gmail pop accounts). Could one gmail imap account result in three connections, if it copies messages from inbox to two other folders? That’s my guess.

Often imap can be used without any special addon to get mail from a webmail server-I check the spam folder at my ISP that way to avoid the webmail logon.

Thanks a lot for the tip. It would be great to get back to a common and well-understood model of mail handling.

Connections are two way in the sense that tcp is. And each IP has a single instance of the same port, but you can be 0.0.0.0 as well as localhost.

I appreciate the explanations.

So when you get reinstalled: You can set up CFP3 to training mode, move the slider at firewall behavior settings to high and let CFP3 make the rules for you, and take a look at them. Although another question: why are you using webmail to pop instead of just imap?

You’re suggesting I can access aim.com email accounts by IMAP? For some reason I thought it was web-only, I’ll have to check again. One of my accounts is an old netscape.net account, which turned into an aim.com account, maybe that’s why.

Imap connections are persistent, so you can have more than one connection. Don’t know whether aim.com supports imap, but worth a check-many webmail accounts do, but very quietly. Even gmail. :slight_smile:

So I take it the answer is that there’s nothing special about internal-internal connections as far as the firewall is concerned … if a firewall rule matches an internal-internal connection then it will be applied, the same as matching rules are applied to internal-external connections? In other words, the firewall has a chance to block or allow internal-internal connections, the same as it does internal-external connections?

Yes, if you set the IP to “any” it includes internal localhost connections. Or you can restrict a rule to internal connections by using localhost. Logging has been reported to be a bit different for localhost connections, though.