Hello Michael, > Hi, > >> On 21 Jan 2020, at 18:22, Peter Müller wrote: >> >> Hello *, >> >> since I am not sure whether I am dealing with a bug, a missing feature >> or my very own personal incompetence, asking the mailing list seemed >> reasonable for this. :-) > > Yes, because we are only experts here :) > >> For security purposes, dropping packets from source ports < 1024 is a good >> idea as the latter indicates successful compromise of services running on >> privileged ports. New connections are usually established from ports > 1023, >> so there is little legitimate scope for this if in doubt. > > Hmm, okay. I get your point. However I am not sure if this will improve security too much. Probably not as an attacker could always open a new connection using some port > 1023 if he/she/it already controls a machine. However, it raises the bar - and some Emerging Threat signatures cover the same anomaly ("GPL MISC source port 53 to <1024" and "GPL MISC Source Port 20 to <1024"). But yes, this certainly is not a silver bullet. > >> When creating a firewall rule via the WebIF, it does not seem to be possible >> to limit source _and_ destination ports if a predefined service (group) is >> used - the latter one always refers to the destination port(s). > > Yes, because technically that is how those services work. > > A browser will always connect from a random port to port 80. There is literally no use-case to limit this to a pre-defined port. You never even know if you are having any NAT routers on the ways that will change your source port. > >> As soon as a single protocol such as TCP or UDP is selected, however, a field >> "source port" is available. >> >> Is this behaviour intentional? If yes, how do I limit firewall rules to >> certain source ports then? Aren't the descriptions "service" and "service group" >> misleading? > > Those are only for destinations. Glad to have this clarified. > > What we could do is limiting source ports to > 1024 by default, but I am not sure if that will make a noticeable difference for anyone. Good idea. I guess some services may need source ports < 1024 (e.g. IPsec), but adding some switch saying "accept connections from high ports only" might be suitable for this. Thanks, and best regards, Peter Müller