What I don't understand about ports!

[zaphox]

Hi,

I've read several wishy washy articles about computer ports, and several which are so technical I don't understand them. I was hoping someone could explain them in simple terms (or point me to a good article!)

This is what I think I know so far:

- Ports are used to communicate between computer hardware and software

- Applications are assigned specific ports to communicate on

- They are virtual links/pipes (what's the right word?!), but they run over physical links

- If you don't use a firewall then all ports are open and can be attacked

This is what I specifically don't understand:

- How are they "set up"? Which part of the computer hardware controls ports?

- Applications are assigned specific ports for security reasons, but how does that stop people just attacking those specified ports? For example everyone knows http uses port 80, so how does that stop people attacking port 80 since it's open?

- What happens is 2 applications try and use the same port?

- When an application is accessed over the Internet and port forwarding is setup, does the application need to know which port the request is coming in on? i.e. I've seen scenarios where source & destination ports are different.


I know that's a lot of questions, but I'd be grateful to know the answer to any of them!

[Funkstar]

I assume you are talking about TCP/IP and UDP ports as you mention firewalls.

- How are they "set up"? Which part of the computer hardware controls ports?
The hardware that deals with these ports is the networking hardware or ethernet port. This is controlled by the networking stack in the OS, which gets requests to communicate on specific ports by the applications you are running.

- Applications are assigned specific ports for security reasons...
Well, not really. They are assigned specific ports for functional reasons, so that one server/piece of software only gets data meant for that particular piece of software. If port 80 is open, that means you have software listening on that port that you know about that will receive and process that data. Sure you can still attack that port and that software, but at least it is controlled in some form or other. The danger lies with open ports you don't know about or actively manage.

- What happens is 2 applications try and use the same port?
When this happens something breaks. An example I know of is Port 9000, this is used by Twonky Media Server and Logitech's Squeezebox Server. When there is a conflict between the two, one will stop responding to requests/data. It will be up to the OS to manage this issue, and I would guess the application that loads first is the one that will take preference. To get round this specific problem (and it is a problem on some systems) Squeezebox Server now checks port 9000 first to see if anything is listening on it and moves itself to Port 9001 if there is. It then repeats this until it finds a clear open port.

- When an application is accessed over the Internet and port forwarding is setup, does the application need to know which port the request is coming in on? i.e. I've seen scenarios where source & destination ports are different.
A piece of software will be listening on a specific port, either hard coded or changable in settings. I'm not entirely sure what you mean by the source and destination ports being different, but I assume that you mean this is being configured inside a router. Basically, the router is handling the translation and any data hitting the external WAN port of the router on port 256 (for example) is them forwarded to Port 128 on a specific IP address for the right software to pick up. This is useful when ISP's block certain ports on their own network. Using Squeezebox Server as an example again, Port 9000 may be blocked by the ISP, so you could use <ISP_assigned_IP>:80 to remote access the web interface and the router will forward that request to <internal_network_ip>:9000 and deliver the results to you.

I hope this helps

(some gross simplifications in there, but I think it answers the questions enough)

[oolon]

I don't think most people know that http runs on port 80, like how most cannot understand how a web server not have the name "www." in it. Some people know 80 is the default for http server however they can be anything they like and using the :<port> part in the url they can specify other address. by doing clever firewalling its possible to have do things running on "port 80" from the outside world point of view, the firewall can change the destination based on source ip address etc.

As my work access only gives me 1 IP address but I wish to ssh to 4 machines and some software assumes the use of port 22, I use my fire wall to bind 4 IP address, depending on which on of those the connection comes in to it gets directed to the correct port. The system is completed by spoofing the DNS to use my IP rather than the public one.

While changing the port does stop a very large number of script kiddies, it is know as security through obsurity, and seen as bad. The problem with your media server is only one program can use any port, the OS does not decided its first come first served. If a program does not get what it wants its logic decides what it does next... error...crash.. try a different one are all alturnatives.

There is NOTHING to stop anyone attacking your port 80. This is why many of us like to have static IP address, with a static IP you know where you will be connecting from and where to connect too. This allows you to restrict things using simple rules on a firewall, ie... only the IP address I know about are allowed. You can do more complex things based on DNS, however these can be subject to spoofing attacks.

Every computer has atleast one ip address, at the moment we use a system called IPV4 so this is a 32 bit number (IPV6 is just like IPV4 but with a 128 bit address), to talk to a remote computer this is not enough as my computer may need to talk to multiple machines. So a "socket or port" number is added. this is a 16 bit number. There are two sides to every conversation, The "listener" which normally uses a known port number as it is running the server, and a client which often grabs a random number.

here you will see I have sshed to the same computer more than once, the destination is the same however the source port is different.

tcp 0 0 flexo.<removed>:41943 ammut.<removed>:ssh ESTABLISHED
tcp 0 0 flexo.<removed>:41949 ammut.<removed>:ssh ESTABLISHED
tcp 0 0 flexo.<removed>:47235 ammut.<removed>:ssh ESTABLISHED

With TCP every client most have a unique source port, with UDP, both sides are really servers just the client tends not to pick the port number to use, So can send a message from that source port to any IP/port combination, however as there is no handshake, messages may or may not arrive, its up to the program to work it out. On the server side it tells connections apart buy giving each ones a unique file handle to access it. These number are limited so you start to see some of the issues.

To get around restrictions of one server program per port, some computers have multiple IP addresses, which works better with "default" settings on computers.

What does my adsl router do? Your internet provider only generally gives you 1 IP address if you want more than one computer to share that address, you need a firewall running something called network address translation, internally your computer has an IP address that is not allowed on the internet, because many other people may use it as well. So your router when it receives a packet from your computer rewrites it with a combination that is valid combination of your the public IP address of network and a port. This however can mean that programs that require connecting from a known source port can get into problems with NAT. As you may also see it explains why connections into your computer have to be specifically setup as the router does not know to which machine a connection to say port 80 should go so by default it is blocked. (this is infact a big issue for ftp which used to by default use something called "active" mode) where the server connected back to the client, to verify the connection.

The fact that your router does restricts incomming connections, is seen by many people as a good thing, as it prevents lots of attacks on ports than might be left open on your computer, like smb (file sharing), rdp (remote desktop) etc.

[zaphox]

Sorry for my tardy response - I do appreciate your lengthy replies and it makes a bit more sense now.

I assume you are talking about TCP/IP and UDP ports as you mention firewalls.

This is another thing that I'd like to know actually! What other types of ports are there? Have programs/applications been using ports of some sort since before the dawn of the TCP/IP suite?

[oolon]

I am just glad you got to read my comment as I improved it alot from the short orginal I put in (so there was a chance you might have missed my improved version).

Your question could mean a few different things.

Do you mean what services are normally run on specific ports Here is a list to get you going.

Did you mean do all TCP protocols use Ports/sockets... yes they do, as its in there nature. However other types of IP packet exist that do not use sockets. (I believe ICMP does not use them). Also some packets are designed to be "broadcast", ie every computer on a network gets them, rather than a specific one. TCP is one of the most common when it comes to applications as its provides a stable link between two computers, most other IP protocols (like UDP) require the application to control the data feed (ie should I send messages faster/slow, did the other end not receive something, if so what should be done about it etc). TCP however becomes an increasingly large drain on resources as the number of connections increase, where as UDP can have one single port, with one signal file descriptor controlling all of it.

Other protocols can also run on Ethernet that are nothing to do with IP, like FCoE (Fibre Channel over Ethernet).

[funkymunky]

All transport layer ports (TCP/UDP) are for is to identify the application that's using the network so that the network stack can pass off the incoming data back to the correct application. TCP and UDP support multiplexing which is the act of combining multiple signals to transport across a medium, when the signal gets to the far end (the target computer) then the computer's network stack needs to know which application (Skype, Chrome, Outlook etc.) it should be passing each chunk of data to. Without ports you wouldn't be able to run multiple network based applications at the same time on a given machine e.g. your web browser and email client.

Basically it comes down to the IP address identifies the machine a packet is destined for and the TCP/UDP port identifies the application that's waiting for it. NAT and PAT can change this assumption slightly but they're hacks to get round things like IPv4 address space exhaustion that have been added long after the original protocols were invented.

Just for the record you're average Ethernet network card knows nothing about IP/TCP/UDP, it speaks Ethernet and thats about it. IP and upwards are managed by the network stack on the host computer (there's a few notable exceptions in higher end cards with offload engines and the like) so port allocation is done in software, not hardware.

If you can get your head round the fundamentals then the rest is easy.

[zaphox]

If you can get your head round the fundamentals then the rest is easy.

That's kind of what I'm trying to do, and I've always struggled with ports.

Thanks, that was a really helpful post. Very clear - you should be an IT tutor!

[funkymunky]

That's kind of what I'm trying to do, and I've always struggled with ports.

Thanks, that was a really helpful post. Very clear - you should be an IT tutor!

Glad you found it useful