It seems like this should be so simple, but since this isn't my area of expertise, I'm having a hell of a time figuring out how to do it.

Basically, I have a Flash app and I'm connecting to a Flash Media Server to stream some content. The URL I'm using to do this, for example, looks like this:


Everything works -- but that's sort of the problem. When I'm trying to do is simulate my users attempting to play back my media under more restrictive conditions than the ones I have here (i.e., none) -- namely being stuck behind firewalls or proxy servers that block access to RTMP streams.

Flash, according to Adobe, is equipped to handle proxy servers and firewalls automatically, like so (from the docs):

When you do not specify a port number in an RTMP address, Flash will attempt to connect to port 1935. If it fails it will then try to connect to port 443; if that fails, it will try port 80. [And if that fails, it will attempt to connect via RTMPT (i.e., HTTP tunneling) on port 80.] So no coding is required to access ports 1935, 443, or port 80 if you do not specify a port in the RTMP address.

The problem I'm having is setting up a reliable environment in which to test that this behavior actually happens. I'm on a Windows machine, for example, so with Windows Firewall, I can block certain ports and protocols (1935, 443), but I don't want to block port 80, because the final fallback protocol (RTMPT) is supposed to run on port 80, and Windows Firewall only gives me enough granularity (as far as I know, anyway) to block "all outbound TCP traffic to remote port 80" -- that is, I can't, apparently, block "all outbound RTMP traffic to port 80" while leaving RTMPT traffic to port 80 unaffected.

My understanding thus far is that I'll probably need to set up a proxy server to do this. Is this correct? Or is there a simpler way (on Win 7, at least) to filter out RTMP to 1935, RTMP to 443, RTMP to 80, but still allow RTMPT to 80 (where all four hostnames are identical)? And if I do have to set up a proxy server, what's the simplest way to go on Windows? I've set up WinProxy, which seems a bit janky but apparently works -- but then what I can't figure out is how to tell Windows to force all TCP traffic (including RTMP, RTMPT and HTTO) through this proxy server so I can turn around and reject the requests for RTMP.

Any help would be hugely appreciated. This isn't my realm of expertise and I've alreasdy spent more time on it than I probably should. :)

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Why do you even care? Is the Flash app that important to test for missing port 80? If they can load your app, they are on your site and VERY LIKELY to have port 80 open. Code your player to hit the ports you want (prob 80) first so playback is faster... if you wait for the standard 1935,443,80 rotation, there is a noticeable delay in playback. –  Nov 05 '10 at 04:42
  • It's "answers" like this that are the reason so many technical support departments are innundated - because the developer has the attitute of "Who cares, it works on my machine". There are a lot of networks where port 80 IS blocked, and all requests run through a proxy on a different port, but if their flash app isn't configured to use the proxy, then will the RTMP streaming still work? Sounds like a very legitimate test to me. – Mark Henderson Nov 05 '10 at 04:55

2 Answers2


You're not going to be able to filter on something that uses port 80 with any basic firewall. You are going to either need to use a maybe proxy server (actually not even really sure a proxy would be able to pull this off either) or a firewall that can do deep packet inspection (application layer firewall).

  • 36,995
  • 5
  • 52
  • 95
  • Ok. Have any recommendations for the proxy server or application firewall? – Christian Nunciato May 25 '10 at 22:41
  • 1
    @Christian: I would suggest squid, can't really recommend an application layer firewall unless you have 50k to spend ... I'm sure they are out there but well I've never had to look for something that cost less. – Zypher May 25 '10 at 22:45
  • Ok cool, I can try Squid. But then how (specifically on Windows, since that's what I'm running) can I force all TCP traffic to use that proxy server? In my LAN settings, for example, I can see where to specify the proxy server address and port, but it doesn't seem to be sending RTMP traffic to that proxy -- only the basics, like HTTP, FTP, etc. Is there some way I can force all TCP (including RTMP) to use that proxy? – Christian Nunciato May 25 '10 at 22:48
  • @Christian: If it's not respecting the web proxy settings, you are probably going to have to setup somethign on the router to force all port 80 traffic to the squid box. – Zypher May 25 '10 at 22:53
  • Also, make sure the FMS server on the other side actually listens on all those ports and is configured to use those protcols on those ports – Joris Nov 05 '10 at 05:57

While I am a little confused about this statement:

Or is there a ... way ... to filter out ... RTMP to 80, but still allow RTMPT to 80 (where all four hostnames are identical)?

I would think that you could also try and create an IPSec filter to block certain traffic to/from specific hosts and allow certain traffic to/from specific hosts...

  • 1,095
  • 2
  • 8
  • 15