Do firewalls block non-HTTP traffic on port 80?

Harry Mexican picture Harry Mexican · May 16, 2012 · Viewed 8k times · Source

Can anyone confirm that using a persistent outgoing TCP connection on port 80 will not be blocked by the vast majority of consumer firewalls?

That has been assumption based on the fact that HTTP runs over TCP, but of course it is theoretically possible to analyze the packets. Question is do most CONSUMER firewalls do this or not?

Answer

MattH picture MattH · May 16, 2012

The feature is called ALG, Application Layer Gateway. This is where the firewall is aware of and perhaps even participates in an application protocol

There are two main reasons a firewall may do this:

  • Protocol support, in order to support the protocol it is necessary to snoop/participate, e.g. opening up additional ports for non passive FTP or media ports for SIP+SDP
  • Additional security, an ALG may function as a transparent proxy and filter protocol commands and actions to enforce policy. E.g. preventing the HTTP CONNECT method

ALGs have been a common feature of stateful firewalls for many years, though often the source of instability.

For security proscriptive environments expect HTTP to be validated and filtered either by a firewall or other dedicated policy enforcement appliance.


Residential broadband routers do not tend to have advanced firewall features. I would be surprised to find any with HTTP validation / filtering on port 80.

Personal software firewalls come in two flavours, basic and advanced. Most consumers will have a basic one that probably comes with their operating system and will not do any HTTP validation / filtering.

However, there is a rising trend in antivirus product differentiation of advanced internet content filtering for threat protection, there is significant possibility these may filter HTTP activity (but is difficult to determine with certainty from their Feature Lists).