Post #110,321
7/18/03 10:38:21 AM
|
Would most corporate firewalls block port 8080?
In short, I'm trying to ascertain just how usual it is for your average company to block port 8080. (sure enough, the company I work for does this.)
Which means I'm also trying to ascertain just how brain-dead it is for a software company I deal with to have their entire on-line support site accessible only on, you guessed it, port 8080.
A quick Googling revealed plenty of 'corporate network often block 8080, so...' kind of talk. Was just wondering if that feeling is echoed by the IGM - a much more reliable source.
BTW Rigging up some kind of groovy proxy thing from home to get around this limitation would probably be as cool as it would be ... career-limiting. :(
John. Busy lad.
|
Post #110,330
7/18/03 10:51:52 AM
|
8080 is the Web-Caching (Proxy) port
Some see it as a "work around" for anonymity.
Therefore, it is BAD..........
| [link|mailto:greg@gregfolkert.net|greg] - IT Grand-Master for Anti-President | | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] |
THEY ARE WATCHING YOU. The time has come for you to take the last step. You must love THEM. It is not enough to obey THEM. You must love THEM. PEACE BEGETS WAR, SLAVERY IS FREEDOM, STRENGTH IN IGNORANCE.
|
Post #110,335
7/18/03 11:08:45 AM
|
Cool. So blocking it would be a thing most companies do.
So putting your whole support website on 8080, when you're a company that writes software for use by other companies...
... could well be seen as a spectacularly dumbass thing to do. (That's a technical term, I think).
/me wonders if he'll be allowed to stay home from work on the pretence he's 'viewing the software's support site' :)
John. Busy lad.
|
Post #110,337
7/18/03 11:27:22 AM
|
Use a wacko port
Make one up > 1024.
-drl
|
Post #110,555
7/20/03 12:02:14 PM
|
No.
Quoting from [link|http://www.iana.org/assignments/port-numbers|The IANA port numbers list]: The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535 So, best practice would be to select a port with a number >49151.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #110,559
7/20/03 12:31:11 PM
|
OK that works
-drl
|
Post #110,464
7/19/03 8:29:13 AM
|
I wouldn't have thought so.
But there's a difference between outbound access and proxyed access. If they required a login to a HTTP proxy (like back at Colonial), then there's really no reason why the proxy wouldn't be allowed to talk to port 8080 for you. Except for misguided configuration. This is the usual cause, AFAIK, of workplace connectivity problems.
I'd tell your manager about and see if you can get his help in rattling whoever set the proxy up to fix it. At the very least you should find out if it was intentional (perhaps even why) or accidental.
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #110,635
7/21/03 12:38:15 AM
|
The official response was (more or less)...
"Hmm. Router change. Not gonna happen."
So no port 8080 for us. I'll email the company we're trying to get to, but don't anticipate a lot of change.
On the plus side: the act nobody I know has ever used this company's support site indicates we wouldn't get anything useful out of it anyway :)
John. Busy lad.
|
Post #110,640
7/21/03 12:52:15 AM
|
Re: The official response was (more or less)...
The sign of a secure installation would have been "You want us to open up port 25OR624 for a web service. OK, we'll get back to you when it's done. Note: we are rather picky about security - keep us informed. We'll be watching."
-drl
|
Post #110,643
7/21/03 1:10:26 AM
|
I could pursue it through official channels,
but since it looks like it's not something we Really Must Have, I'll just grizzle at the software vendor and be done with it.
John. Busy lad.
|
Post #110,645
7/21/03 1:15:32 AM
|
It's a right wally-woo world, mate
-drl
|
Post #110,661
7/21/03 6:31:24 AM
|
"Ours is not to reason why..."
The odds of that response being code for "It's too hard to fix" are quite good. :-)
Wade.
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #110,663
7/21/03 7:42:37 AM
|
Either that, or too much paperwork :)
John. Busy lad.
|
Post #110,795
7/21/03 10:59:05 PM
|
I imagine that would qualify as "too hard". :-)
Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
| |
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #110,540
7/20/03 4:36:56 AM
|
FWFW
Firewall fuckwittedness.... \r\n\r\n Check /usr/share/nmap/nmap-services for common ports. You'll find web services on 80, sometimes 81 or 88, 8000, 8080, and occasionally 8001-8009, and 8081-8089, or just plain random values. Discovered most of these when running Junkbuster proxy and explicitly including ports. \r\n\r\n I'd file a request against both the vendor (yes, they should run :80) and your security staff (if nothing else, they could admit the one 8080 port). \r\n\r\n From the above file, some HTT[PS] related services: \r\n\r\n \r\n\r\nhttp 80/tcp # World Wide Web HTTP\r\nhttp 80/udp # World Wide Web HTTP\r\nhttp-mgmt 280/tcp # \r\nhttp-mgmt 280/udp # \r\nhttps 443/tcp # secure http (SSL)\r\nhttps 443/udp # \r\ngss-http 488/tcp # \r\ngss-http 488/udp # \r\nhttp-alt 591/tcp # FileMaker, Inc. - HTTP Alternate\r\nhttp-alt 591/udp # FileMaker, Inc. - HTTP Alternate\r\nhttp-rpc-epmap 593/tcp # HTTP RPC Ep Map\r\nhttp-rpc-epmap 593/udp # HTTP RPC Ep Map\r\nsquid-http 3128/tcp #\r\nproxy-plus 4480/tcp # Proxy+ HTTP proxy port\r\nconnect-proxy 5490/tcp # Many HTTP CONNECT proxies \r\nvnc-http 5800/tcp # Virtual Network Computer HTTP Access, display 0\r\nvnc-http-1 5801/tcp # Virtual Network Computer HTTP Access, display 1\r\nvnc-http-2 5802/tcp # Virtual Network Computer HTTP Access, display 2\r\nvnc-http-3 5803/tcp # Virtual Network Computer HTTP Access, display 3\r\nanalogx 6588/tcp # AnalogX HTTP proxy port\r\nhttp-alt 8000/tcp # A common alternative http port\r\nhttp-proxy 8080/tcp # Common HTTP proxy/second web server port\r\nhttps-alt 8443/tcp # Common alternative https port\r\nsun-answerbook 8888/tcp # Sun Answerbook HTTP server\r\nsnet-sensor-mgmt 10000/tcp # SecureNet Pro Sensor https management server\r\n \r\n --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
