Hi, > On 21 Jan 2020, at 18:22, Peter Müller wrote: > > Hello *, > > since I am not sure whether I am dealing with a bug, a missing feature > or my very own personal incompetence, asking the mailing list seemed > reasonable for this. :-) Yes, because we are only experts here :) > For security purposes, dropping packets from source ports < 1024 is a good > idea as the latter indicates successful compromise of services running on > privileged ports. New connections are usually established from ports > 1023, > so there is little legitimate scope for this if in doubt. Hmm, okay. I get your point. However I am not sure if this will improve security too much. > When creating a firewall rule via the WebIF, it does not seem to be possible > to limit source _and_ destination ports if a predefined service (group) is > used - the latter one always refers to the destination port(s). Yes, because technically that is how those services work. A browser will always connect from a random port to port 80. There is literally no use-case to limit this to a pre-defined port. You never even know if you are having any NAT routers on the ways that will change your source port. > As soon as a single protocol such as TCP or UDP is selected, however, a field > "source port" is available. > > Is this behaviour intentional? If yes, how do I limit firewall rules to > certain source ports then? Aren't the descriptions "service" and "service group" > misleading? Those are only for destinations. What we could do is limiting source ports to > 1024 by default, but I am not sure if that will make a noticeable difference for anyone. -Michael > Thanks, and best regards, > Peter Müller