port 80

Hello everyone,

I woul’d like to ask for the firewall’s rules. Recently i installed iis to create a web server to run some tests. When i use localhost me site is loaded but when i use ip it doesen’t if my firewall runs. I checked the logs and i found that the firewall blocks ip packets in port 80(generally it blocks ip packets by default). What kind of rule should i create in order to have protection and the port 80 open for my web server at the same time??

Thanks in advance

Hi Loukisgr, welcome to the forums.

This is because CFP thinks the inbound connection attempts on port 80 are unsolicited (which they are). You need to create a rule in CFPs Network Monitor that allows inbound connections on port 80. This rule must be above CFPs final block & log rule (the rule which is probably causing the current blocks). So, something like this…

Allow - TCP/UDP - In - Destination Port = 80 (everything else Any).

You might also need to consider other HTTP ports, such as 8080 (Proxy/Override HTTP Port) & 443 (HTTPS)… depends on your IIS set-up really.

Security? Well, once you poke a hole in the firewall (which the above does), then the security is down to IIS, not CFP. The new CFP 3 (currently in beta testing) has some new features that will strengthen the security of IIS, but you still need to keep IIS up-to-date (latest security fixes, etc…).

PS If the IIS web server has its own IP address that differs from your normal IP, then you can restrict the rule further by specifying the Destination IP in the rule.

I already tried the allow tcp inbound/outbound (any ip) in port 80 but nothing happened… Anything else i can do?

Post a screen shot of your Network Monitor screen maximized with the port 80 rule selected & post any relevant Log entries (see below).

CFPs Log can be Exported to an HTML file by right-clicking on the Log (Activity tab) & selecting Export to HTML. This will export the entire Log to an HTML file. Open the HTML file with your default browser (the one you’re using now) and use a simple click-drag-select Copy ‘n’ Paste to post quoted example Log entries here. Like this (from an old Log of mine)…

Date/Time :2006-08-13 20:33:09 Severity :Medium Reporter :Network Monitor Description: Inbound Policy Violation (Access Denied, IP = 10.35.235.233, Port = MS-ds(445)) Protocol: TCP Incoming Source: 213.205.240.249:3713 Remote: 10.35.235.233:MS-ds(445) TCP Flags: SYN Reason: Network Control Rule ID = 3

i don’t think that this helps except the fact that you know greek (:LGH) .Anyway this is it

Ημερομηνία/'Ωρα :2007-10-24 17:45:44
Σοβαρότητα :Μέτρια
Ανταποκριτής :Επόπτης Δικτύου
Περιγραφή:Παραβίαση Κανόνα Εισερχόμενων (Φραγή Πρόσβασης, IP = 85.73.80.51, Πύλη = http(80))
Πρωτόκολλο: TCP Εισερχόμενο
Αφετηρία: 85.73.80.51:1494
Προορισμός: 192.168.1.2:http(80)
TCP Flags(ενδείξεις):SYN
Αιτία: ID Κανόνα Ελέγχου Δικτύου =7

Let me translate:
Severity:medium
Reporter: Network monitor
Description: Inbound validation(Access denied, ip… port…)
Protocol:Tcp incoming
Source 85.73.80.51
Destination 192.168.1.2
Tcp flags:syn
Rerason:network control rule=7

And now the new rule i created:
Allow TCP in or out from any ip to any ip where incoming port is 80 and outcoming is 80

Thanks in advance!!

Thanks for the translation, but believe it or not I understood from this…

Αιτία: ID Κανόνα Ελέγχου Δικτύου =7

Network Monitor rule number 7 blocked the packet. Rule 7 is probably CFPs final block & log rule (stops unsolicited connections). The rule you have created in the Network Monitor is not working.

On a previous post you said… “allow tcp inbound/outbound (any ip) in port 80”. This is tricky, since an IN and OUT rule (bidirectional) reverses the logic of the Destination Port… for IN it is your port 80, but for OUT it is their port 80. It is very unlikely that both Source & Destination Ports will be 80 at the same time.

You need to look at your port 80 rule again with this in mind… or post a screen shot of the rule (see above post)… not, sure if I can guess that one however. I might need your translation on it. :slight_smile:

Ty… it works now!!! I don’t ha to transelate but i think you know what it means :wink:
I changed the rule and made it: allow tcp inbound/outbound from any ip to any ip where incoming port and any and outcoming is 80. Ty again…

I’m not sure about your rule based on what you posted. So, just to confirm, I think it should look something like this…

Allow TCP - In - Source IP: Any - Destination IP: Any - Source Port: Any - Destination Port: 80

You don’t need an Out rule in the Network Monitor, since the Application Monitor will handle all outbound traffic against the IIS components. You might also need to make it TCP/UDP, rather than just TCP, depending on your web sites requirements.