Can any one pease advise about the rules to be made for using
Skype P2P Internet Telephone?

Hi jaymasood,

Welcome to the forums. :)

It does not look like any configuration is required. Here is a quote from the author's site:

"Best of all, Skype does not require you to reconfigure your firewall or router—it just works!"

Is Outpost prompting your for a rule? If so, could you please provide more details.

Hi David

Thanks for your response to my query.

Whenever I start Skype, the Outpost's window pops up and asks following;

"Skype Requesting an incoming connection with"

The remote service and remote address keep on changing randomley. Today I noticed following services/addresses respectively;

Remote Service: UDP:33033
Remote address: 66.98.209.1 (resolving)

Remote Service: UDP:5290
Remote address: d5153701B.kabel.telenet.be

Remote Service: UDP:39854
Remote address: user-12hco3v.cable.mindspring.com

Remote Service: UDP:35489
Remote address: cdm-66-233-121-119.bcst.cox-internet.co

Skype works only when I "Allow all activities"

Skype being a product of the KaZaA founders I am a bit apprehensive about allowing all activities and would prefer to allow only minimum required access.

Thanks one again
Jaymasood

Hi Jaymasood,

So, these all look like UDP Connections. Why don't you start like this:

1. Delete all rules for Skype.

2. Then start Skype.

3. When prompted to create a rule (should be UDP from what I can see above), create the following rule:
UDP, Remote Port 1024-65535, Allow

Note: You may be prompted many times while trying to create this one rule. If so, just ignore the prompts, create the rule that I specified, and then close any other rule creation prompt by pressing 'Block Once'.

4. Close Skype and reopen it.

With just one rule for UDP on the remote ports that I specified above, you should be able to gain good connectivity. If you continue to have difficulty, let us know.

Hi David

Thanks for suggestions, I tried as suggested by you and created a rule allowing UDP Remote Ports 1024-65535. (Skype Rule #1)

Thereafter when I restarted Skype, Outpost asked for outgoing connection to 33033, Remote address 64.246.49.60 (resolving...). It also suggested rules for Browser. I denied it once but it persisted so I accepted rules for Browser. This was in addition to (Skype Rule #1)

After this Skype started and I logged ‘IN’ and even tested Skype by having a talk with a “Friend”. However after few minutes Outpost asked for incoming connection with TCP:61357 Remote address - 62.108.97.242 (resolving...). At this juncture the Allow Once/Block Once options were greyed out and I had no choice but do refuse connection. This blocked all activities for Skype. I tried several times and always the same result except that the TCP and the remote addresses keep on changing. Thus I am back to square one.

Any suggestion how I should proceed further?

I also feel that in order to protect against Trojan attack the bad UDP Ports above 1024 like 1025, 1349, 1505, 1604, 2000, 2140, 2989, 3150, 3456, 3801, 5503, 6112, 6838, 7028, 7983, 8787, 8879, 9325, 10067, 10167, 10498, 18753, 21554, 26274, 27374, 27444, 27573, 31335, 31337, 31338, 31787, 31789, 31790, 31791, 33390, 47262 , 49301 , 54320 , 54321, 57341 etc. should be blocked. Any comments?

Have a good day.
Jaymasood
:confused:

Hi David

It is me again. Subsequent to my above posting I did some more research and found following at Skype help/FAQ webpage (http://skype.net/help_faq.html)

…..The Minimum requirement is that Skype needs unrestricted outgoing TCP access to all destination ports above 1024 or to port 80 (the former is better, however). If you don't allow either of those, Skype will not work reliably at all. Voice quality and some other aspects of Skype functionality will be greatly improved if you also open up outgoing UDP traffic to all ports above 1024, and allow UDP replies to come back in.

In the quest for even better voice quality, it is also advisable to open up incoming TCP and/or UDP to the specific port you see in Skype Options. This port is chosen randomly when you install Skype. In the case of firewalls, this should be easy to arrange. In some routers, however, you cannot configure incoming UDP at all (but you still can configure incoming TCP port forwarding, which you could/should do).

The randomness in port selection is to improve NAT traversal for cases where several users are behind the same NAT; if they all used same ports, many NATs would behave in a way that would reduce Skype voice quality.

My random port is 54389 but when I open only this port the system still doesn’t work. Ultimately I opened all incoming/outgoing TCP/UDP ports 1024-65535 as well as incoming/outgoing TCP/UDP port 80. There after the system is connecting OK though I couldn’t get a chance to test the voice function. I still get Outpost messages asking about allowing activities to/from Ports below 1024 and have disallowed all of them. But these popup messages are pain in the neck.

Opening of all these ports means allowing almost unrestricted access to my computer, so the nagging doubt remains in my mind. How safe or how vulnerable am I? Though at the above referred webpage Skype have assured that;

With Skype, one can only transmit encoded voice traffic and text messages. There are no worms or viruses that can be spread through this communication since there is no executable code transmitted. One cannot use Skype to share or transmit files and therefore there is no risk of opening up your computer or being infected by viruses.

Unless I find a better solution I think I may have to trust Skype and allow full activity to it.

Looking forward to your views on the subject.

Jaymasood
:confused:

Hi jaymasood,

My first comment is with regards to the last quote from the Skype help site that worms or trojans cannot be transmitted through this application. That may very well be true. You must remember that making Skype a Trusted Application or just opening up a wide port range to Skype, ONLY AFFECTS SKYPE. In other words, if a worm does sense and try to take advantage of this open port, it will find the listener 'Skype' unresponsive. So trojan or worm transmission should not be a serious consideration. However with that said, it is still important that you run a good anti-virus if also an anti-trojan if you have one. This is just a precaution though.

After reading your comments and Skype FAQ to which you referred, I recommend that you modify your Skype Rules as follows:

When you are finished, these rules should be the only rules in your ruleset for Skype. Please create the rules in the exact order given here.

[Skype HTTP Rule]
Where the protocol is: TCP
Where the direction is: Outbound
Where the REMOTE PORT is: 80
Allow It

[Skype Outgoing TCP Rule]
Where the protocol is: TCP
Where the direction is: Outbound
Where the REMOTE PORT is: 1024-65535
Allow It

[Skype Remote Access UDP Rule]
Where the protocol is: UDP
Where the REMOTE PORT is: 1024-65535
Allow It

[Skype Local Access UDP Rule]
Where the protocol is: UDP
Where the LOCAL PORT is: 1024-65535
Allow It

[Skype Outbound TCP Coverage Rule]
Where the protocol is: TCP
Where the direction is: Outbound
Deny It

Note: This rule will BLOCK all outbound TCP connections except for the connections that you have defined above. This will help avoid uncecessary rules creation popups for outbound TCP connections. So, it is very necessary for you to have the rules in the exact order that I have given here.

[Skype Inbound TCP Coverage Rule]
Where the protocol is: TCP
Where the direction is: Inbound
Deny It

Note: This rule will BLOCK all inbound TCP connections except for the connections that you have defined above. This will help avoid uncecessary rules creation popups for inbound TCP connections. So, it is very necessary for you to have the rules in the exact order that I have given here.

[Skype Inbound UDP Coverage Rule]
Where the protocol is: UDP
Deny It

Note: This rule will BLOCK all UDP connections except for the connections that you have defined above. This will help avoid uncecessary rules creation popups for UDP connections. So, it is very necessary for you to have the rules in the exact order that I have given here.

Note: This is a little different than the way I have generated TCP and UDP Coverage Rules in the past. The main difference is that I have included a separate rule for inbound and outbound TCP traffic coverage. The only reason is because the latest version of Outpost, soon to be released, now requires that TCP rules have direction. Previously, I just specified one TCP rule without direction. However with the pending release of the next version of Outpost this is no longer possible and it is necessary to start instructing users to write separate TCP outbound and inbound Coverage rules for applications that they want to secure from further rules creation popups.

I hope that ruleset works for you. I recommend that you give it a try and report your results.

Have a good day. :)

Hi David

Thanks for your suggestions. I have setup the rules as per your advice. Both the connectivity and voice work wonderfully.

You are doing a great job helping novices like us.

Keep it up.

Jaymasood
:)

David, you still are the best!

Thanks
Pete

Great rules David, I'd just like to make an addendum to the Skype HTTP Rule.

The minimum requirement is that Skype needs unrestricted outgoing TCP access to all destination ports above 1024 or to ports 80 and 443 (the former is better, however).
Reading this, http and https both would need to go into the HTTP rule.

[Skype HTTP Rule]
Where the protocol is: TCP
Where the direction is: Outbound
Where the REMOTE PORT is: 80, 443
Allow It

Regards,
Savannah.

PS - Sorry for bringing up an old thread, but it seemed the logical place to reply to.

3. When prompted to create a rule (should be UDP from what I can see above), create the following rule:
UDP, Remote Port 1024-65535, Allow


David please can u explain me why we should care about Remote Ports instead of Local ports?
I imagine we should care just Local Ports 1024-65535 be used...
Please...

I saw several rules built into Outpost care about remote ports instead of local ports...

I mean shouldnt we protect our low ports, for example given the order of the rules proposed by David Skype can go ouside from any TCP local port from 0 to 65535 !!:

[Skype Outgoing TCP Rule]
Where the protocol is: TCP
Where the direction is: Outbound
Where the REMOTE PORT is: 1024-65535
Allow It

The same with UDP 0 to 65535 !!:

[Skype Remote Access UDP Rule]
Where the protocol is: UDP
Where the REMOTE PORT is: 1024-65535
Allow It

[Skype Local Access UDP Rule]
Where the protocol is: UDP
Where the LOCAL PORT is: 1024-65535
Allow It
Shouldnt we use rules like in order to be safer:

[Skype Outgoing TCP Rule]
Where the protocol is: TCP
Where the direction is: Outbound
Where the REMOTE PORT is: 1024-65535
Where the LOCAL PORT is: 1024-65535
Allow It

[Skype Remote Access UDP Rule]
Where the protocol is: UDP
Where the REMOTE PORT is: 1024-65535
Where the LOCAL PORT is: 1024-65535
Allow It

[Skype Inbound TCP Coverage Rule]
Where the protocol is: TCP
Where the direction is: Inbound
Deny It

[Skype Inbound UDP Coverage Rule]
Where the protocol is: UDP
Deny It


Just asking I want to learn, sorry :)
Gustavo.-

Gustavo, you do have a point in protecting the low ports. But there's one catch about Windows OS, they tend to only use ports between 1024-5000 (local ports) for outbound connections. Inbound connections depends on which ports Skype(or other program) wishes to listen on.

So overall, most people don't have to really worry about protecting local ports.

But, Would you agree that restricting simultaneously local and remote ports would be safer? Or there is something wrong with it?

BTW any of you payed attention to the traffic that Skype generates? Even with no connection the flow continues...

I guess this is normal as it is listening for incoming call or IM.

What does the red circle below my username mean?
Gustavo.-

Don't get it. Can you provide a snapshot?

This one....

You are talking about the circle on OP forum not in Skype?!
This circle tells if you are on line or not.

So, red means I am online, what does green and violet stand for?
Gustavo.-

Slightly off topic BrainFart:
In the brief period where I was testing out Skype with a friend (who had recommended it), I noticed about a dozen remote endpoints holding open connections to my endpoint/PC.

The amount of data that got transmitted (*even considering the high quality of it's full duplex audio) was quite significant. Somewhere in the order of 1Mb/Minute IIRC....
Both myself and the friend were a little shocked at not only the sheer quantity of connections it wanted, but also the data it was chewing up for no apparent reason.

I then showed him TeamSpeak and Ventrilo, and we compared data usage and endpoints mapped.... I think he "saw" Teamspeak as a useful app for the first time (previously i think he just auto-scorned it as an inferior toy for those pesky gamer-types) }:)
BTW: I think (IIRC) that Ventrilo does pseudo-full-duplex a little better than TS does.

Hello everyone

I'm am new to OP Firewall and am now in my trial period.
I'm having problems configuring OP to work well with skype
whenever the application starts up, OP is asking me to permit an endless amount of outbound connections on tcp/udp ports(partial list includes: 40969, 40175, 2406, 30257, 62521, 60672, 12374, 5203, 18972, 30220, 20797, 443, 32405, 33224, 39940, 23928,17860,........) and will not stop untill i click allow all.
The problem is that OP keeps these ports open for other applications and does not stealth them.
I checked this for my 0 - 1056 service ports on the "Shiels Up" scan on grc.com and it shows ports 80, 443(HTTPS) open!!!. NOT STEALTHED BUT OPEN!!!
other firewalls i've worked with have no problem allowing skype to work yet keep the port stealthed. Only when i remove the rules for skype i can pass the shiels up test.
What's up with OP???
What do i need to to to get OP to work with skype yet keep my ports stealthed???
Thanks

Boogie,

I'm am new to OP Firewall and am now in my trial period.Welcome to the forum. I hope you will enjoy OP as we do.

OP is asking me to permit an endless amount of outbound connections on tcp/udp ports(partial list includes: 40969, 40175, 2406, 30257, 62521, 60672, 12374, 5203, 18972, 30220, 20797, 443, 32405, 33224, 39940, 23928,17860,........)If you follow David's rules from post n°7 you should not have any concern. And these windows should not pop up as these ports are covered by David's rule (port 1024-65535).

I checked this for my 0 - 1056 service ports on the "Shiels Up" scan on grc.com and it shows ports 80, 443(HTTPS) open!!!. NOT STEALTHED BUT OPEN!!! Make sure OP is configured properly. Please follow Paranoid advices:
http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=9858

Personally I am 100% stealth and I have no concern with Skype or MSN audio function by following the rules above.

Let us know if you made it.

Perfect :D
Thanks

Glad you can now enjoy OP and free IP voice communication ;)

Don't hesitate to open a thread if you face any issue.

I guess this is normal as it is listening for incoming call or IM. It's normal, because by using a P2P app you are part of a network of many users constantly relaying small packets for each other.
*You* may not be sending/speaking, but somebody else is, and your PC is being used to relay tiny bits of the data between them. ....standard P2P ... thats what "peer to peer" network means. :]

..Of course, if you have a voice chat session open, it is always on, and therefore always tansmitting/receiving as well.
But simply by having skype or any P2P app running, you are contributing to the data flow.

Here's a ruleset I was tinkering with tonight, its based of the principle that when using Skype, you are essentially running a *server*, and that therefore you need to write rules relating to *local* ports - as distinct from most normal rulesets, and the way the rulesets posted here so far have been addressed.

Here, let me translate into a preset.
notes:
1) the use of LOCAL ports
2) my router does NOT support UDP traversal the way P2P prefers it, so everything I do is relayed, not direct...therefore you may not like how this ruleset works, but i think it will work equally well with a newer router.
3) this is only a preliminary ruleset, but it looks like it works so far, and it's unlikely i'll tinker any further for a while, so i'm posting it as-is.

I just wrote out this preset by looking at my Skype application ruleset, it's TOTALLY untested (as a preset), but it looks correct.
Please post if its broken or whatever.

;---------------------------------------
; SKYPE

[Skype]
;VisibleState: 0
VisibleState: 1

;loopback, gotta have loopback.
DefaultState: 1
RuleName: <-> UDP EqualPorts Loopback
Protocol: UDP
;LocalHost: 255.255.255.255:0.0.0.0
RemoteHost: 127.0.0.0:255.0.0.0
EqualPorts
AllowIt

;skype default local port
DefaultState: 1
RuleName: <-> UDP L1337 (Skype default)
Protocol: UDP
LocalPort: 1337
AllowIt

;skype 'bypass stuff' sneaky ports
DefaultState: 1
RuleName: <- TCP R80, 443 (HTTP, HTTPS)
Protocol: TCP
Direction: Outbound
RemotePort: 80, 443
AllowIt

;skype apparent preferred ports
DefaultState: 1
RuleName: <- TCP L1081-1091 ()
Protocol: TCP
Direction: Outbound
LocalPort: 1081-1091
AllowIt

;I don't like port ranges this broad, but as SPI does not work with P2P, here it is.
DefaultState: 1
RuleName: <- TCP R1024-65535 ()
Protocol: TCP
Direction: Outbound
RemotePort: 1024-65535
AllowIt

;block other udp
DefaultState: 1
RuleName: ->|<- BLOCK other UDP
Protocol: UDP
BlockIt

;block other inbound
DefaultState: 1
RuleName: ->| BLOCK other TCP in
Protocol: TCP
Direction: Inbound
BlockIt

;but don't block you out, unless you turn it on
DefaultState: 0
RuleName: |<- BLOCK other TCP out
Protocol: TCP
Direction: Outbound
BlockIt

;------------------
;MAKE SURE there is a BLANK LINE at the END of preset.lst

Hi there all,

I have an annoying problem. Everytime I open Skype I have to accept at least 10 pop'ups asking for permission to let Skype through.

Is there a way to allow Skype permanently?

--
Palle Jensen

Check this thread - answered my question :)

http://outpostfirewall.com/forum/showthread.php?t=9211

PHJensen, Hello
Merged your thread here

The "funny connections" are relaying though "incoming allowed" systems for people who have restrictive firewalls.

Reminds me why I'd rather not have Skype, and why if I do put it on to talk to anyone, I'm locking my firewall and router down tight - and advising them to switch to something that's SIP standard, or at least doesn't leech other peoples bandwidth.

Fascinating reading....

It's interesting to note that Skype ALWAYS opens BEFORE Outpost :)

Skype can bypass firewalls, and does.

As a result, any clever rules the user creates are a waste of time...

I found 2 rules worked just great,

TCP OUTBOUND ALLOW
UDP ALLOW

but even these aren't really necessary. Blocking rules don't appear to block anything. However, Skype seems to be very safe to use and has never been the cause of problems for me, and I run it 24/7.

nippauls

Fascinating reading....

It's interesting to note that Skype ALWAYS opens BEFORE Outpost :)

Skype can bypass firewalls, and does.

Well, I suggest not to let skype start automatically with Windows, then. :confused:

you can try, but you will notice that it still makes a connection :)

skype is powerful p2p, and firewalls aren't too much of a problem for it.... but don't panic, it's safe :)

When I actually use OP, I just let skype start ahead of OP, and I've never had a problem.

nippauls

When an icon appears means absolutely nothing about when a service is started. The Outpost firewall is a system level service and loaded before any "automatic" loaders.
If Skype had little trouble with firewalls or "Skype can bypass firewalls, and does." There would be no need of a FAQ explaining how they wish one to set up a firewall. The windows firewall allows applications to manipulate it through an API, other firewalls do not.
Skype and Firewalls (http://www.skype.com/help/guides/firewall.html)

OP can stop Skype functioning properly by the creation of rules, but as a test I put a pc between the pc with skype and outpost and the router and monitored startup, with skype completely blocked by OP.... and Skype successfully sends packets to the internet BEFORE OP has initialized... but it also does the same for Norton, XP firewall, and Zone Alarm. I never examined the packets so I don't know what they contained, but they do occur with all firewalls that I have tested. Maybe with the new OP4 this outbound traffic will cease... and maybe as a result it will be necessary to configure slightly different rules for Skype.
However, this behaviour by Skype has never brought any viruses, spyware or malware into my pc.
This test was carried out about a year ago with OP 2.7. I have never repeated the test with more recent versions of OP, but observations made at times when I have OP in my pc suggest it continues.
nippauls.

...any updates/more detailed packet analysis on this topic?....
Are you sure those packets came from Skype?
Has Firepost gone silent because they have made their final statement? or because they are checking this claim with Agnitum/testing?

BTW: skype 'bypasses' firewalls simply (afaict) by using ports 80 & 445 (nobody blocks a web browser), and by behaving in a less server-like manner, whereby it has to request connections as opposed to its usual server-like behaviour where it offers open ports. (not that I really know, but more iirc.)

Greetings all,
I have replied to a number of threads regarding problems with the preset Skype rules... and having used OP for the last few days, for the first time in a long time, I notice that the preset ruleset is not adequate for the requirements of Skype.
If the preset rules are used in "block most" then Skype manifests many problems, which include lack of sound quality, lack of video quality, slow file transfers, etc etc.
If the preset rules are used in "rules wizard" mode, then Skype continually demands new rules, to the point where during the experiment I had no less than 39 rules wizard created rules and growing for an application that was supposed to have a good preset ruleset :mad:
I repeat what I have posted in many threads, if you want Skype, MSN messenger or Yahoo messenger to work adequately, then the same ruleset applies for each:

TCP OUTBOUND ALLOW

UDP ALLOW

The reason is that the three above-mentioned communications applications have started "moving the goal posts" as far as their requirements are concerned. MSN started it, presumably to discourage use of a firewall other than one provided by Microsoft, and the others seem to have followed the pattern. I don't know the exact reason, I can only guess... but that is what has happened.

I know Agnitum have other things to worry about at the moment, but maybe they will read this at some stage and fix their inadequate preset rules for Skype.

In the mean time, anybody having problems with Skype, please try the above rules and if necessary allow IGMP (try and make a system rule to restrict IGMP to just Skype).

nippauls

Moved the above to this existing thread.

Thanks FirePost :)