The Web Hikers guide to
Outpost Firewall

Home > Rules > Preset Rules > Proxies

Proxies

Bottom

There are preset rules for the following proxies:

AnalogX Proxy
The Proxomitron
WebWasher

Glossary Bottom Top

The Proxomitron connection
WebWasher connection

Protocol: TCP
Direction: Outbound
Remote Port(s): HTTP (80), 81-83, HTTPS (443), SOCKS (1080), 3128, 8080, 8088, 11523
Action: Allow It

What it's for

Local proxies like The Proxomitron and Web Washer can filter the headers sent by browsers and block other junk. This rule is used by your local proxy for accessing the internet when it gets a request to do so from another application that is set up to use a proxy. HTTP (Hyper Text Transfer Protocol) is the only port you really need for browsing the Internet, ports 81, 82, 83 are auxiliary web browsing ports and are rarely used. HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer (SSL)) is used to connect to secure sites. SOCKS is only needed by people using a SOCKS proxy server. 3128, 8080, and 8088 are common ports that proxy servers use. 11523 is used by AOL's browser.

To optimize

Remove the remote ports: 81, 82, 83 unless you know that you need them. If you don't use a SOCKS proxy server remove SOCKS. If your not chaining your local proxy to another proxy (remote or local) remove 3128, 8080 and 8088. Most people can change the ports to just HTTP and HTTPS and not experience any problem using their proxy. If you don't use AOL's browser remove 11523.
More about HTTP, HTTPS, SOCKS, PROXY
Back to Proxies

Glossary Bottom Top

Block incoming Proxomitron connection

Protocol: TCP
Direction: Inbound
Action: Deny It

What it's for

This rule is used to block incoming connections to The Proxomitron so as to stop remote users from being able to connect to The Proxomitron.
Back to Proxies

Glossary Bottom Top

AnalogX Proxy HTTP connection

Protocol: TCP
Direction: Outbound
Remote Port(s): HTTP (80), 81-83, SOCKS (1080), 3128, 8080, 8088, 11523
Action: Allow It

What it's for

This rule is used by AnalogX's Proxy for accessing the internet when it gets a request to do so from another application that is set up to use a proxy. HTTP (Hyper Text Transfer Protocol) is the only port you really need for browsing the Internet, ports 81, 82, 83 are auxiliary web browsing ports and are rarely used. SOCKS is only needed by people using a SOCKS proxy server. 3128, 8080, and 8088 are common ports that proxy servers use. 11523 is used by AOL's browser.

To optimize

Remove the remote ports: 81, 82, 83 unless you know that you need them. If you don't use a SOCKS proxy server remove SOCKS. If your not chaining your local proxy to another proxy (remote or local) remove 3128, 8080 and 8088. Most people can change the ports to just HTTP and not experience any problem using their proxy. If you don't use AOL's browser remove 11523.
More about HTTPS
Back to Proxies

Glossary Bottom Top

AnalogX Proxy HTTPS connection

Protocol: TCP
Direction: Outbound
Remote Port(s): HTTPS (443)
Action: Allow It

What it's for

This rule is used for secure web page connections (Hyper Text Transfer Protocol over Secure Socket Layer (SSL)), HTTPS is used when you visit pages that need a password (such as Hotmail) or online shopping sites. You can tell when ever the page your looking at is secure by looking for the little padlock symbol which will be displayed somewhere in your browser. Unlike HTTP, HTTPS encrypts the data that is sent and received.

Of course, changing the Action from 'Allow It' to 'Deny It' will stop anyone using your browser from accessing secure sites. This would mean that if you didn't want anyone to be able to buy anything you could stop them quite easily without having to put every shopping site you can think of into the Content plugin's blocked sites list.

To optimize

The number of sites you visit that are secure are few and far between so you might like to create rules for each site you visit. Just specify as 'Remote Host' the site that you want, duplicate the rule, but change the 'Remote Host' for any additional site.
More about HTTPS
Back to Proxies

Glossary Bottom Top

Send mail by AnalogX Proxy

Protocol: TCP
Direction: Outbound
Remote Port(s): POP3 (110)
Action: Allow It

What it's for

This rule is used whenever your e-mail client receives mail. It uses POP3 (Version 3 of the Post Office Protocol) to collect mail from your e-mail providers POP server.

To optimize

Add an Event for 'Remote Host' and specify the 'Remote Host' as your e-mail providers POP server. This is usually pop or pop3.your_provider.com so, for example, if NTLWorld is your e-mail provider you would use pop.ntlworld.com. You can either e-mail your provider for there POP server details or collect an e-mail and check either your Allowed log or the DNS Cache log both of which should give you the IP number or host name of your providers POP server.
More about POP3
Back to Proxies

Glossary Bottom Top

Receive mail by AnalogX Proxy

Protocol: TCP
Direction: Outbound
Remote Port(s): SMTP (25)
Action: Allow It

What it's for

This rule is used whenever your e-mail client sends mail. It uses SMTP (Simple Mail Transfer Protocol) to send the mail to your e-mail providers SMTP server which in turn forwards your mail to it's destinations POP server so that the recipient can then receive the mail.

To optimize

Add an Event for 'Remote Host' and specify the 'Remote Host' as your e-mail providers SMTP server. This is usually smtp.your_provider.com so, for example, if NTLWorld is your e-mail provider you would use smtp.ntlworld.com. You can either e-mail your provider for there SMTP server details or send an e-mail and check either your Allowed log or the DNS Cache log both of which should give you the IP number or host name of your providers SMTP server.
More about SMTP

Back to Proxies

Glossary Bottom Top

Read news by AnalogX Proxy

Protocol: TCP
Direction: Outbound
Remote Port(s): NNTP (119)
Action: Allow It

What it's for

This rule is used by your e-mail client whenever you read newsgroup postings. It uses NNTP (Network News Transfer Protocol).

To optimize

Add an Event for 'Remote Host' and specify the 'Remote Host' as the NNTP server that your news provider uses. As an example, to refine this rule for Steve Gibson's news servers you would use news.grc.com. If your mail client can't read news, or you don't read news then delete (or turn off) this rule.
More about NNTP
Back to Proxies

Glossary Bottom Top

AnalogX Proxy FTP connection

Protocol: TCP
Direction: Outbound
Remote Port(s): FTP (21)
Action: Allow It

What it's for

This rule is used for establishing FTP (File Transfer Protocol) connections to FTP servers to download a file.

FTP uses two channels to achieve the transfer, there is the control connection (this rule) which is used to send the necessary commands to achieve the transfer and a data channel (see FTP DATA) which is used to actually send the files with. The control connection is established from the client (which would be you) when the client logs into an ftp server, whereas the data channel is usually established by the server to the client after the client connects to the server.

To optimize

Add an Event for 'Remote Host' and specify the 'Remote Host' as the FTP server you use.
More about FTP
Back to Proxies

Glossary Bottom Top

AnalogX Proxy FTP DATA connection

Protocol: TCP
Direction: Inbound
Remote Port(s): FTP DATA (20)
Action: Allow It

What it's for

This rule is used for establishing FTP (File Transfer Protocol) connections to FTP servers to download a file.

FTP uses two channels to achieve the transfer, there is the control connection (see FTP) which is used to send the necessary commands to achieve the transfer and a data channel (this rule) which is used to actually send the files with. The control connection is established from the client (which would be you) when the client logs into an ftp server, whereas the data channel is usually established by the server to the client after the client connects to the server.

To optimize

Add an Event for 'Remote Host' and specify the 'Remote Host' as the FTP server you use.
More about FTP DATA
Back to Proxies

Glossary Bottom Top

AnalogX Proxy PASV FTP connection

There are two rules, one for Inbound and one for Outbound.

Protocol: TCP
Direction: Inbound
Local Port(s): 1024-65535
Action: Allow It

Protocol: TCP
Direction:Outbound
Remote Port(s): 1024-65535
Action: Allow It

What it's for

These rules are used for FTP transfers when using Passive FTP mode instead of Active FTP mode. An explanation of Passive and Active FTP is in order:

Active FTP
Your FTP client uses the FTP and FTP DATA rules for Active FTP transfers. In Active FTP transfers the client (in this case your FTP client) connects from a random unprivileged local port (those over port number 1023) to the servers FTP command port (21) to let the server know that it is waiting for a connection from the server. The client then starts listening on a port 1 number higher then the port it opened the connection on. So if your client connects to an FTP server from local port 1024 and establishes a connection with the servers FTP command port, the client would then start listening on port 1025 for incoming connections from the FTP server. Once the client starts listening the server establishes a connection from its FTP DATA port (20) to your local port that the client is now listening on.

This doesn't cause problems if you don't have a firewall, but when you do it can cause all kinds of headaches. The reason it is such a problem for a firewalled system is that the client doesn't initiate the transfer. It just tells the FTP server what port it's listening on and lets the FTP server establish a connection from the servers FTP DATA port. Firewalls normally block connections like this, otherwise anyone could connect to the listening port.

In order to get round this problem Passive FTP mode (PASV) was developed

Passive FTP
Passive FTP makes the client responsible for initiating both connections. The client opens two random local unprivileged ports with the second being one number high then the first (so if the first port is 1055 the second is 1056). The client then contacts the server FTP command port (21) from the first port it opened (in this example 1055).

Now here is the difference. Instead of asking the server to connect form it's FTP DATA port to a random local port on the client, the client tells the server (by sending the PASV command) to open a random unprivileged port of it's own (for this example 1026). The server then tells the client what port it's awaiting a connection on and the client connects from it's second port (in this example 1056) to the servers now listening port 1026. Thus both connections are initiated by the client and the client side firewall doesn't block the connection because it was started by the client.

But wait a minute! Doesn't this cause all kinds of problems for the server side firewall?
Yes it does, but servers have away round this. Most FTP servers allow a server administrator to specify a range of local ports the FTP server is allowed to open and use.

Most FTP cleints will have an option that allows you to use Passive FTP instead of Active FTP.

To optimize

Add an Event for 'Remote Host' and specify the 'Remote Host' as the FTP server you use.
More about FTP, FTP DATA
Back to Proxies

Glossary Top

Outpost and the Outpost logo are ©Agnitum Software

This is an unofficial guide, the information expressed here may differ from Agnitum's. There is a support forum (no longer run by Agnitum, but by users) if you need more help this is a good place to start. Where information here conflicts with what Agnitum have told you always go with the information given to you by Agnitum.

Guide/site and images ©Stephen Cox