Windows – urlacl and the Windows Firewall

httpwindowswindows-firewall

Normally I use Linux Servers for my applications. Therefore I am quite new to the firewall system of Windows Servers.

I have a C# application which needs to act as a HTTP Server. There are multiple ways of realizing this with different abstraction levels: Of course there is a Socket library to provide very fundamental functionality. For TCP traffic there is a also a TcpClient. Both listen on a specific port and need "Inbound Rules" defined in the Windows Firewall to be accessed from another machine (no rules needed when you only need to access it from your machine).

Then there is the HttpListener. It does not operate on per port basis, uses URI prefixes to match requests. For example the prefix "http://*:80/" would handle all port 80 http traffic.

What really disturbs me is, that for a HttpListener to work no rule in Windows Firewall, but an entry in urlacl is needed:

netsh http add urlacl url=http://*:80/ user=DOMAIN\user

(It is a url namespace reservation)

All three methods of realizing a http server are equally useful. The difference is that a lot less code is needed when using HttpListener.

My question is: Why is there the concept of url namespace reservation, but urls not registered can be listened to by a server nevertheless. And why can registered urls bypass firewall rules? Why is there a system like this in the first place?

Best Answer

AFAIK, net http is shows/edits the configuration for http.sys, the kernel mode driver part of IIS which together with the Windows Activation Servers (WAS) can also be used by non-IIS applications. They just have to register their URL so that http.sys/WAS can route requests to the correct client and avoid conflicts.

If you choose to implement the low-level port listening yourself, you are not using http.sys and don't have to register the url with netsh, but you still need to be careful that there wont be any conflicts with other programs.

The .NET httpListener class is also using http.sys

As for Firewall rules, I don't see that registered URLs don't need a Firewall rule. Your example http://*:80/ is covered by the World Wide Web Services filewall rule.

Related Topic