From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Firewall rules with predefined service groups for both source and destination? Date: Tue, 21 Jan 2020 18:22:00 +0000 Message-ID: <0c2ca114-203e-a08f-3a75-b6fee134b8c9@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5542635698627609855==" List-Id: --===============5542635698627609855== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello *, since I am not sure whether I am dealing with a bug, a missing feature or my very own personal incompetence, asking the mailing list seemed reasonable for this. :-) For security purposes, dropping packets from source ports < 1024 is a good idea as the latter indicates successful compromise of services running on privileged ports. New connections are usually established from ports > 1023, so there is little legitimate scope for this if in doubt. When creating a firewall rule via the WebIF, it does not seem to be possible to limit source _and_ destination ports if a predefined service (group) is used - the latter one always refers to the destination port(s). As soon as a single protocol such as TCP or UDP is selected, however, a field "source port" is available. Is this behaviour intentional? If yes, how do I limit firewall rules to certain source ports then? Aren't the descriptions "service" and "service gro= up" misleading? Thanks, and best regards, Peter M=C3=BCller --===============5542635698627609855==--