From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: Firewall rules with predefined service groups for both source and destination? Date: Sat, 25 Jan 2020 16:41:00 +0000 Message-ID: <6d8b7439-f584-eb4a-9b87-078d0b1af0c1@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0546066583329172131==" List-Id: --===============0546066583329172131== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, > Hi, >=20 >> On 21 Jan 2020, at 18:22, Peter M=C3=BCller w= rote: >> >> Hello *, >> >> since I am not sure whether I am dealing with a bug, a missing feature >> or my very own personal incompetence, asking the mailing list seemed >> reasonable for this. :-) >=20 > Yes, because we are only experts here :) >=20 >> For security purposes, dropping packets from source ports < 1024 is a good >> idea as the latter indicates successful compromise of services running on >> privileged ports. New connections are usually established from ports > 102= 3, >> so there is little legitimate scope for this if in doubt. >=20 > Hmm, okay. I get your point. However I am not sure if this will improve sec= urity too much. Probably not as an attacker could always open a new connection using some port > 1023 if he/she/it already controls a machine. However, it raises the bar - and some Emerging Threat signatures cover the same anomaly ("GPL MISC source = port 53 to <1024" and "GPL MISC Source Port 20 to <1024"). But yes, this certainly is not a silver bullet. >=20 >> When creating a firewall rule via the WebIF, it does not seem to be possib= le >> to limit source _and_ destination ports if a predefined service (group) is >> used - the latter one always refers to the destination port(s). >=20 > Yes, because technically that is how those services work. >=20 > A browser will always connect from a random port to port 80. There is liter= ally no use-case to limit this to a pre-defined port. You never even know if = you are having any NAT routers on the ways that will change your source port. >=20 >> As soon as a single protocol such as TCP or UDP is selected, however, a fi= eld >> "source port" is available. >> >> Is this behaviour intentional? If yes, how do I limit firewall rules to >> certain source ports then? Aren't the descriptions "service" and "service = group" >> misleading? >=20 > Those are only for destinations. Glad to have this clarified. >=20 > What we could do is limiting source ports to > 1024 by default, but I am no= t sure if that will make a noticeable difference for anyone. Good idea. I guess some services may need source ports < 1024 (e.g. IPsec), b= ut adding some switch saying "accept connections from high ports only" might be suitabl= e for this. Thanks, and best regards, Peter M=C3=BCller --===============0546066583329172131==--