| Author |
Message |
CiD
Guest
|
 Posted:
Sat Dec 11, 2004 9:49 pm Post subject:
Changing port numbers |
|
|
Is there a registry hack where I can change the standard vpn port from
1723 and Ip protocol 47, to another ports like 5631 and 5632? With
ftp, www, and a lot of other services you can easily change the
standard assigned port numbers, but can you do so with VPN? Please
let me know. |
|
| Back to top |
|
 |
Miha Pihler
Guest
|
| Posted:
Sat Dec 11, 2004 10:12 pm Post subject:
Re: Changing port numbers |
|
|
Hi,
You are confusing IP protocols with TCP port numbers...
There are quite a few protocols in IP and each has its own number.
Here is a list of more frequently used IP protocols and their numbers...
* ICMP is IP protocol number 1 (ICMP is used when you e.g. run ping or
tracert or ...)
* IGMP is IP protocol number 2
* TCP is IP protocol number 6
* UDP is IP protocol number 17
* IPv6 is IP protocol number 41 (this is only one if IPv6 options)
* GRE is IP protocol number 47
* AH is IP protocol number 51
* L2TP is IP protocol number 115
Mike
"CiD" <elcid2k@hotmail.com> wrote in message
news:rb6mr05beo3f53iu7vpmj04c9rnhf8q8hb@4ax.com...
| Quote: | Is there a registry hack where I can change the standard vpn port from
1723 and Ip protocol 47, to another ports like 5631 and 5632? With
ftp, www, and a lot of other services you can easily change the
standard assigned port numbers, but can you do so with VPN? Please
let me know.
|
|
|
| Back to top |
|
|
CiD
Guest
|
| Posted:
Sun Dec 12, 2004 7:27 am Post subject:
Re: Changing port numbers |
|
|
thanks Mike! for your informative reply. I was indeed confusing the
ip port for protocol number.
Heres a question for you.
Is it possible then to block/open an ip protocol? since tcp/ip is a
stack of them put together, I think that if tcp/ip is enable the whole
stack of them are so open , correct?
On Sat, 11 Dec 2004 17:12:41 +0100, "Miha Pihler"
<mihap-news@atlantis.si> wrote:
| Quote: | Hi,
You are confusing IP protocols with TCP port numbers...
There are quite a few protocols in IP and each has its own number.
Here is a list of more frequently used IP protocols and their numbers...
* ICMP is IP protocol number 1 (ICMP is used when you e.g. run ping or
tracert or ...)
* IGMP is IP protocol number 2
* TCP is IP protocol number 6
* UDP is IP protocol number 17
* IPv6 is IP protocol number 41 (this is only one if IPv6 options)
* GRE is IP protocol number 47
* AH is IP protocol number 51
* L2TP is IP protocol number 115
Mike
"CiD" <elcid2k@hotmail.com> wrote in message
news:rb6mr05beo3f53iu7vpmj04c9rnhf8q8hb@4ax.com...
Is there a registry hack where I can change the standard vpn port from
1723 and Ip protocol 47, to another ports like 5631 and 5632? With
ftp, www, and a lot of other services you can easily change the
standard assigned port numbers, but can you do so with VPN? Please
let me know.
|
|
|
| Back to top |
|
|
Steve Riley [MSFT]
Guest
|
| Posted:
Sun Dec 12, 2004 12:38 pm Post subject:
Re: Changing port numbers |
|
|
On a computer, ports and protocols are not "open" in the same sense that
they are on a firewall. Ports are available for receiving incoming traffic
if there is a *listener* bound to the port number and waiting for something
to appear.
For example: web servers listen on port 80/tcp. A computer will not accept
inbound communications to 80/tcp unless there is a web server listening
there. Note: 80/tcp is reserved by IANA (Internet Assigned Nubmers
Authority) for web servers. But that doesn't mean something else couldn't
use 80/tcp; indeed, many worms and viruses are compiled to use this specific
port since so many firewalls have that port open. (That's why we often call
this the universal firewall bypass port, often carrying traffic in HTTP, the
univeral firewall bypass protocol.)
When using host-based firewalls or other port-blocking mechanisms (IPsec
block/allow filters, TCP/IP stack filtering) it's possible to block inbound
traffic to certain port numbers even though there are listeners on those
ports.
Port numbers identify applications to the TCP/UDP layer. Likewise, protocol
numbers identify protocols (like TCP, UDP, IPsec, ICMP, IGMP, GRE, and so
on) to the IP layer. Protocol numbers are never open or even listening; they
are simply identifiers so that IP knows which next layer to hand the traffic
to.
Now, getting back to your original question, why do you want to change the
port and protocol numbers? Please don't think this will buy you any
security. Well-known port and protocol nubmers are how TCP/IP is designed to
operate. Sure, some TCP client-server applications can work with
non-standard port numbers, but this usually introduces complexity, something
that I try very hard to avoid. Changing port numbers can help you hide, for
a time; it's pretty easy to find out anyway. And you can't change protocol
numbers at all -- IP would break. Having said all that, there's no support
in Windows RRAS or the VPN client to use non-stanard port numbers.
Steve Riley
steriley@microsoft.com
"CiD" <elcid2k@hotmail.com> wrote in message
news:a58nr0lbk3gd6da379nv60gqgkgev2iho9@4ax.com...
| Quote: | thanks Mike! for your informative reply. I was indeed confusing the
ip port for protocol number.
Heres a question for you.
Is it possible then to block/open an ip protocol? since tcp/ip is a
stack of them put together, I think that if tcp/ip is enable the whole
stack of them are so open , correct?
On Sat, 11 Dec 2004 17:12:41 +0100, "Miha Pihler"
mihap-news@atlantis.si> wrote:
Hi,
You are confusing IP protocols with TCP port numbers...
There are quite a few protocols in IP and each has its own number.
Here is a list of more frequently used IP protocols and their numbers...
* ICMP is IP protocol number 1 (ICMP is used when you e.g. run ping or
tracert or ...)
* IGMP is IP protocol number 2
* TCP is IP protocol number 6
* UDP is IP protocol number 17
* IPv6 is IP protocol number 41 (this is only one if IPv6 options)
* GRE is IP protocol number 47
* AH is IP protocol number 51
* L2TP is IP protocol number 115
Mike
"CiD" <elcid2k@hotmail.com> wrote in message
news:rb6mr05beo3f53iu7vpmj04c9rnhf8q8hb@4ax.com...
Is there a registry hack where I can change the standard vpn port from
1723 and Ip protocol 47, to another ports like 5631 and 5632? With
ftp, www, and a lot of other services you can easily change the
standard assigned port numbers, but can you do so with VPN? Please
let me know.
|
|
|
| Back to top |
|
|
Miha Pihler
Guest
|
| Posted:
Sun Dec 12, 2004 1:43 pm Post subject:
Re: Changing port numbers |
|
|
Hi,
Steve gave you an answer to the question. What I would like to add is
another reason why not to use non-standard TCP ports (in any production
environment).
As I travel I often find that firewall administrators will not allow
outbound VPN connections from their networks -- which is a good thing if you
don't need such traffic (not all firewall administrators will allow _all_
traffic to leave their network). Again I can be visiting any of my customers
and let say they configured their network to allow outgoing VPN connections
(and all other standard protocols http(s), ...), but they did it only for
the standard VPN ports (e.g. TCP port 1723 for PPTP). Imagine I moved PPTP
from 1723 to 5631. Now even if the network is configured to allow outbound
VPN connections on standard TCP ports, I will not be able to connect to my
VPN server because it is running on non-standard TCP ports...
Mike
"CiD" <elcid2k@hotmail.com> wrote in message
news:a58nr0lbk3gd6da379nv60gqgkgev2iho9@4ax.com...
| Quote: | thanks Mike! for your informative reply. I was indeed confusing the
ip port for protocol number.
Heres a question for you.
Is it possible then to block/open an ip protocol? since tcp/ip is a
stack of them put together, I think that if tcp/ip is enable the whole
stack of them are so open , correct?
On Sat, 11 Dec 2004 17:12:41 +0100, "Miha Pihler"
mihap-news@atlantis.si> wrote:
Hi,
You are confusing IP protocols with TCP port numbers...
There are quite a few protocols in IP and each has its own number.
Here is a list of more frequently used IP protocols and their numbers...
* ICMP is IP protocol number 1 (ICMP is used when you e.g. run ping or
tracert or ...)
* IGMP is IP protocol number 2
* TCP is IP protocol number 6
* UDP is IP protocol number 17
* IPv6 is IP protocol number 41 (this is only one if IPv6 options)
* GRE is IP protocol number 47
* AH is IP protocol number 51
* L2TP is IP protocol number 115
Mike
"CiD" <elcid2k@hotmail.com> wrote in message
news:rb6mr05beo3f53iu7vpmj04c9rnhf8q8hb@4ax.com...
Is there a registry hack where I can change the standard vpn port from
1723 and Ip protocol 47, to another ports like 5631 and 5632? With
ftp, www, and a lot of other services you can easily change the
standard assigned port numbers, but can you do so with VPN? Please
let me know.
|
|
|
| Back to top |
|
|
CiD
Guest
|
| Posted:
Sun Dec 12, 2004 2:31 pm Post subject:
Re: Changing port numbers |
|
|
thanks guys!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
On Sun, 12 Dec 2004 08:43:38 +0100, "Miha Pihler"
<mihap-news@atlantis.si> wrote:
| Quote: | Hi,
Steve gave you an answer to the question. What I would like to add is
another reason why not to use non-standard TCP ports (in any production
environment).
As I travel I often find that firewall administrators will not allow
outbound VPN connections from their networks -- which is a good thing if you
don't need such traffic (not all firewall administrators will allow _all_
traffic to leave their network). Again I can be visiting any of my customers
and let say they configured their network to allow outgoing VPN connections
(and all other standard protocols http(s), ...), but they did it only for
the standard VPN ports (e.g. TCP port 1723 for PPTP). Imagine I moved PPTP
from 1723 to 5631. Now even if the network is configured to allow outbound
VPN connections on standard TCP ports, I will not be able to connect to my
VPN server because it is running on non-standard TCP ports...
Mike
"CiD" <elcid2k@hotmail.com> wrote in message
news:a58nr0lbk3gd6da379nv60gqgkgev2iho9@4ax.com...
thanks Mike! for your informative reply. I was indeed confusing the
ip port for protocol number.
Heres a question for you.
Is it possible then to block/open an ip protocol? since tcp/ip is a
stack of them put together, I think that if tcp/ip is enable the whole
stack of them are so open , correct?
On Sat, 11 Dec 2004 17:12:41 +0100, "Miha Pihler"
mihap-news@atlantis.si> wrote:
Hi,
You are confusing IP protocols with TCP port numbers...
There are quite a few protocols in IP and each has its own number.
Here is a list of more frequently used IP protocols and their numbers...
* ICMP is IP protocol number 1 (ICMP is used when you e.g. run ping or
tracert or ...)
* IGMP is IP protocol number 2
* TCP is IP protocol number 6
* UDP is IP protocol number 17
* IPv6 is IP protocol number 41 (this is only one if IPv6 options)
* GRE is IP protocol number 47
* AH is IP protocol number 51
* L2TP is IP protocol number 115
Mike
"CiD" <elcid2k@hotmail.com> wrote in message
news:rb6mr05beo3f53iu7vpmj04c9rnhf8q8hb@4ax.com...
Is there a registry hack where I can change the standard vpn port from
1723 and Ip protocol 47, to another ports like 5631 and 5632? With
ftp, www, and a lot of other services you can easily change the
standard assigned port numbers, but can you do so with VPN? Please
let me know.
|
|
|
| Back to top |
|
|
Karl Levinson, mvp
Guest
|
| Posted:
Mon Dec 13, 2004 7:17 pm Post subject:
Re: Changing port numbers |
|
|
"CiD" <elcid2k@hotmail.com> wrote in message
news:a58nr0lbk3gd6da379nv60gqgkgev2iho9@4ax.com...
| Quote: | thanks Mike! for your informative reply. I was indeed confusing the
ip port for protocol number.
Heres a question for you.
Is it possible then to block/open an ip protocol? since tcp/ip is a
stack of them put together, I think that if tcp/ip is enable the whole
stack of them are so open , correct?
|
Yes, it is possible with Windows and most IP firewalls to block an IP
protocol. Yes, TCP/IP refers to a fair number of other IP protocols besides
TCP. Yes, usually by default more or less all IP protocols are permitted
through the Windows TCP/IP Filtering and IPsec filtering, although there may
or may not be any service in Windows that is listening for that protocol
that would know how to handle it when it comes in. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in