Page 1 of 3 123 LastLast
Results 1 to 15 of 41

Thread: Rules for Skype

  1. #1
    Join Date
    Jan 2004
    Posts
    5

    Question Rules for Skype

    Can any one pease advise about the rules to be made for using
    Skype P2P Internet Telephone?

  2. #2
    Join Date
    Mar 2002
    Location
    Fort Worth, TX USA
    Posts
    5,258
    Hi jaymasood,

    Welcome to the forums.

    It does not look like any configuration is required. Here is a quote from the author's site:

    "Best of all, Skype does not require you to reconfigure your firewall or router—it just works!"

    Is Outpost prompting your for a rule? If so, could you please provide more details.
    Kind Regards,

    David

  3. #3
    Join Date
    Jan 2004
    Posts
    5
    Hi David

    Thanks for your response to my query.

    Whenever I start Skype, the Outpost's window pops up and asks following;

    "Skype Requesting an incoming connection with"

    The remote service and remote address keep on changing randomley. Today I noticed following services/addresses respectively;

    Remote Service: UDP:33033
    Remote address: 66.98.209.1 (resolving)

    Remote Service: UDP:5290
    Remote address: d5153701B.kabel.telenet.be

    Remote Service: UDP:39854
    Remote address: user-12hco3v.cable.mindspring.com

    Remote Service: UDP:35489
    Remote address: cdm-66-233-121-119.bcst.cox-internet.co

    Skype works only when I "Allow all activities"

    Skype being a product of the KaZaA founders I am a bit apprehensive about allowing all activities and would prefer to allow only minimum required access.

    Thanks one again
    Jaymasood

  4. #4
    Join Date
    Mar 2002
    Location
    Fort Worth, TX USA
    Posts
    5,258
    Hi Jaymasood,

    So, these all look like UDP Connections. Why don't you start like this:

    1. Delete all rules for Skype.

    2. Then start Skype.

    3. When prompted to create a rule (should be UDP from what I can see above), create the following rule:
    UDP, Remote Port 1024-65535, Allow

    Note: You may be prompted many times while trying to create this one rule. If so, just ignore the prompts, create the rule that I specified, and then close any other rule creation prompt by pressing 'Block Once'.

    4. Close Skype and reopen it.

    With just one rule for UDP on the remote ports that I specified above, you should be able to gain good connectivity. If you continue to have difficulty, let us know.
    Kind Regards,

    David

  5. #5
    Join Date
    Jan 2004
    Posts
    5
    Hi David

    Thanks for suggestions, I tried as suggested by you and created a rule allowing UDP Remote Ports 1024-65535. (Skype Rule #1)

    Thereafter when I restarted Skype, Outpost asked for outgoing connection to 33033, Remote address 64.246.49.60 (resolving...). It also suggested rules for Browser. I denied it once but it persisted so I accepted rules for Browser. This was in addition to (Skype Rule #1)

    After this Skype started and I logged ‘IN’ and even tested Skype by having a talk with a “Friend”. However after few minutes Outpost asked for incoming connection with TCP:61357 Remote address - 62.108.97.242 (resolving...). At this juncture the Allow Once/Block Once options were greyed out and I had no choice but do refuse connection. This blocked all activities for Skype. I tried several times and always the same result except that the TCP and the remote addresses keep on changing. Thus I am back to square one.

    Any suggestion how I should proceed further?

    I also feel that in order to protect against Trojan attack the bad UDP Ports above 1024 like 1025, 1349, 1505, 1604, 2000, 2140, 2989, 3150, 3456, 3801, 5503, 6112, 6838, 7028, 7983, 8787, 8879, 9325, 10067, 10167, 10498, 18753, 21554, 26274, 27374, 27444, 27573, 31335, 31337, 31338, 31787, 31789, 31790, 31791, 33390, 47262 , 49301 , 54320 , 54321, 57341 etc. should be blocked. Any comments?

    Have a good day.
    Jaymasood

  6. #6
    Join Date
    Jan 2004
    Posts
    5
    Hi David

    It is me again. Subsequent to my above posting I did some more research and found following at Skype help/FAQ webpage (http://skype.net/help_faq.html)

    …..The Minimum requirement is that Skype needs unrestricted outgoing TCP access to all destination ports above 1024 or to port 80 (the former is better, however). If you don't allow either of those, Skype will not work reliably at all. Voice quality and some other aspects of Skype functionality will be greatly improved if you also open up outgoing UDP traffic to all ports above 1024, and allow UDP replies to come back in.

    In the quest for even better voice quality, it is also advisable to open up incoming TCP and/or UDP to the specific port you see in Skype Options. This port is chosen randomly when you install Skype. In the case of firewalls, this should be easy to arrange. In some routers, however, you cannot configure incoming UDP at all (but you still can configure incoming TCP port forwarding, which you could/should do).

    The randomness in port selection is to improve NAT traversal for cases where several users are behind the same NAT; if they all used same ports, many NATs would behave in a way that would reduce Skype voice quality.


    My random port is 54389 but when I open only this port the system still doesn’t work. Ultimately I opened all incoming/outgoing TCP/UDP ports 1024-65535 as well as incoming/outgoing TCP/UDP port 80. There after the system is connecting OK though I couldn’t get a chance to test the voice function. I still get Outpost messages asking about allowing activities to/from Ports below 1024 and have disallowed all of them. But these popup messages are pain in the neck.

    Opening of all these ports means allowing almost unrestricted access to my computer, so the nagging doubt remains in my mind. How safe or how vulnerable am I? Though at the above referred webpage Skype have assured that;

    With Skype, one can only transmit encoded voice traffic and text messages. There are no worms or viruses that can be spread through this communication since there is no executable code transmitted. One cannot use Skype to share or transmit files and therefore there is no risk of opening up your computer or being infected by viruses.

    Unless I find a better solution I think I may have to trust Skype and allow full activity to it.

    Looking forward to your views on the subject.

    Jaymasood

  7. #7
    Join Date
    Mar 2002
    Location
    Fort Worth, TX USA
    Posts
    5,258
    Hi jaymasood,

    My first comment is with regards to the last quote from the Skype help site that worms or trojans cannot be transmitted through this application. That may very well be true. You must remember that making Skype a Trusted Application or just opening up a wide port range to Skype, ONLY AFFECTS SKYPE. In other words, if a worm does sense and try to take advantage of this open port, it will find the listener 'Skype' unresponsive. So trojan or worm transmission should not be a serious consideration. However with that said, it is still important that you run a good anti-virus if also an anti-trojan if you have one. This is just a precaution though.

    After reading your comments and Skype FAQ to which you referred, I recommend that you modify your Skype Rules as follows:

    When you are finished, these rules should be the only rules in your ruleset for Skype. Please create the rules in the exact order given here.

    [Skype HTTP Rule]
    Where the protocol is: TCP
    Where the direction is: Outbound
    Where the REMOTE PORT is: 80
    Allow It

    [Skype Outgoing TCP Rule]
    Where the protocol is: TCP
    Where the direction is: Outbound
    Where the REMOTE PORT is: 1024-65535
    Allow It

    [Skype Remote Access UDP Rule]
    Where the protocol is: UDP
    Where the REMOTE PORT is: 1024-65535
    Allow It

    [Skype Local Access UDP Rule]
    Where the protocol is: UDP
    Where the LOCAL PORT is: 1024-65535
    Allow It

    [Skype Outbound TCP Coverage Rule]
    Where the protocol is: TCP
    Where the direction is: Outbound
    Deny It

    Note: This rule will BLOCK all outbound TCP connections except for the connections that you have defined above. This will help avoid uncecessary rules creation popups for outbound TCP connections. So, it is very necessary for you to have the rules in the exact order that I have given here.

    [Skype Inbound TCP Coverage Rule]
    Where the protocol is: TCP
    Where the direction is: Inbound
    Deny It

    Note: This rule will BLOCK all inbound TCP connections except for the connections that you have defined above. This will help avoid uncecessary rules creation popups for inbound TCP connections. So, it is very necessary for you to have the rules in the exact order that I have given here.

    [Skype Inbound UDP Coverage Rule]
    Where the protocol is: UDP
    Deny It

    Note: This rule will BLOCK all UDP connections except for the connections that you have defined above. This will help avoid uncecessary rules creation popups for UDP connections. So, it is very necessary for you to have the rules in the exact order that I have given here.

    Note: This is a little different than the way I have generated TCP and UDP Coverage Rules in the past. The main difference is that I have included a separate rule for inbound and outbound TCP traffic coverage. The only reason is because the latest version of Outpost, soon to be released, now requires that TCP rules have direction. Previously, I just specified one TCP rule without direction. However with the pending release of the next version of Outpost this is no longer possible and it is necessary to start instructing users to write separate TCP outbound and inbound Coverage rules for applications that they want to secure from further rules creation popups.

    I hope that ruleset works for you. I recommend that you give it a try and report your results.

    Have a good day.
    Kind Regards,

    David

  8. #8
    Join Date
    Jan 2004
    Posts
    5

    Thumbs up

    Hi David

    Thanks for your suggestions. I have setup the rules as per your advice. Both the connectivity and voice work wonderfully.

    You are doing a great job helping novices like us.

    Keep it up.

    Jaymasood

  9. #9
    Join Date
    Apr 2004
    Posts
    620

    Re: Rules for Skype

    David, you still are the best!

    Thanks
    Pete
    ADSL2+/ASUS P4P800 Deluxe (HT enabled - Bios 1019)/P4 3E/1Go Winbond PC3200 Dual/WinFast A380 Ultra THD 256DDR/Audigy Player/Maxtor DiamondMax 9 60Go+80Go+200Go/WD Special Ed.120Go/Plextor PX-W4012A/Toshiba SD-M1712/HP5710C/Canon PIXMA iP3000
    Windows XP Pro SP2.
    Browser: Maxthon 1.5.9 build 80 (Unicode)
    Resident progs: OP latest beta with Blockpost (BLM 2.6.5)/Symantec AntiVirus 10.1.5.5010/Hosts Manager 2.0.1.0/SpywareBlaster 3.5.1/ProcessGuard 3.410/Wormguard 3

  10. #10
    Join Date
    Oct 2004
    Posts
    1

    Re: Rules for Skype

    Great rules David, I'd just like to make an addendum to the Skype HTTP Rule.
    Quote Originally Posted by http://www.skype.com/help/faq/technical.html
    The minimum requirement is that Skype needs unrestricted outgoing TCP access to all destination ports above 1024 or to ports 80 and 443 (the former is better, however).
    Reading this, http and https both would need to go into the HTTP rule.

    [Skype HTTP Rule]
    Where the protocol is: TCP
    Where the direction is: Outbound
    Where the REMOTE PORT is: 80, 443
    Allow It

    Regards,
    Savannah.

    PS - Sorry for bringing up an old thread, but it seemed the logical place to reply to.

  11. #11
    Join Date
    Oct 2002
    Location
    Montevideo-Uruguay
    Posts
    179

    Re: Rules for Skype

    Quote Originally Posted by David
    3. When prompted to create a rule (should be UDP from what I can see above), create the following rule:
    UDP, Remote Port 1024-65535, Allow
    David please can u explain me why we should care about Remote Ports instead of Local ports?
    I imagine we should care just Local Ports 1024-65535 be used...
    Please...

    I saw several rules built into Outpost care about remote ports instead of local ports...
    Last edited by gustavo; 05-15-2005 at 02:20.

  12. #12
    Join Date
    Oct 2002
    Location
    Montevideo-Uruguay
    Posts
    179

    Re: Rules for Skype

    I mean shouldnt we protect our low ports, for example given the order of the rules proposed by David Skype can go ouside from any TCP local port from 0 to 65535 !!:
    Quote Originally Posted by David
    [Skype Outgoing TCP Rule]
    Where the protocol is: TCP
    Where the direction is: Outbound
    Where the REMOTE PORT is: 1024-65535
    Allow It
    The same with UDP 0 to 65535 !!:
    Quote Originally Posted by David
    [Skype Remote Access UDP Rule]
    Where the protocol is: UDP
    Where the REMOTE PORT is: 1024-65535
    Allow It

    [Skype Local Access UDP Rule]
    Where the protocol is: UDP
    Where the LOCAL PORT is: 1024-65535
    Allow It
    Shouldnt we use rules like in order to be safer:

    [Skype Outgoing TCP Rule]
    Where the protocol is: TCP
    Where the direction is: Outbound
    Where the REMOTE PORT is: 1024-65535
    Where the LOCAL PORT is: 1024-65535
    Allow It

    [Skype Remote Access UDP Rule]
    Where the protocol is: UDP
    Where the REMOTE PORT is: 1024-65535
    Where the LOCAL PORT is: 1024-65535
    Allow It

    [Skype Inbound TCP Coverage Rule]
    Where the protocol is: TCP
    Where the direction is: Inbound
    Deny It

    [Skype Inbound UDP Coverage Rule]
    Where the protocol is: UDP
    Deny It


    Just asking I want to learn, sorry
    Gustavo.-

  13. #13
    Join Date
    Feb 2002
    Location
    Toronto
    Posts
    86

    Re: Rules for Skype

    Gustavo, you do have a point in protecting the low ports. But there's one catch about Windows OS, they tend to only use ports between 1024-5000 (local ports) for outbound connections. Inbound connections depends on which ports Skype(or other program) wishes to listen on.

    So overall, most people don't have to really worry about protecting local ports.

  14. #14
    Join Date
    Oct 2002
    Location
    Montevideo-Uruguay
    Posts
    179

    Re: Rules for Skype

    But, Would you agree that restricting simultaneously local and remote ports would be safer? Or there is something wrong with it?

  15. #15
    Join Date
    Oct 2002
    Location
    Montevideo-Uruguay
    Posts
    179

    Re: Rules for Skype

    BTW any of you payed attention to the traffic that Skype generates? Even with no connection the flow continues...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Skype
    By Falu in forum Rules Creation and Presets
    Replies: 29
    Last Post: 10-07-2006, 03:16
  2. Preset rules for Skype?
    By Boris2004 in forum Outpost Pro FIREWALL General Discussions, Support, and Troubleshooting
    Replies: 3
    Last Post: 02-07-2006, 05:33
  3. Rules for Skype 1.2 beta
    By steve-uk2 in forum Rules Creation and Presets
    Replies: 2
    Last Post: 03-21-2005, 12:46
  4. Skype rules requi
    By kazzi in forum Rules Creation and Presets
    Replies: 2
    Last Post: 11-11-2003, 07:34
  5. Skype
    By TJEx in forum Rules Creation and Presets
    Replies: 0
    Last Post: 09-15-2003, 05:55

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •