From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Firewall rules with predefined service groups for both source and
 destination?
Date: Fri, 24 Jan 2020 11:43:31 +0000
Message-ID: <B4560934-15F2-4E00-8D4A-3FE9A60B3A08@ipfire.org>
In-Reply-To: <0c2ca114-203e-a08f-3a75-b6fee134b8c9@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4404072889553761299=="
List-Id: <development.lists.ipfire.org>

--===============4404072889553761299==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

> On 21 Jan 2020, at 18:22, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Hello *,
>=20
> since I am not sure whether I am dealing with a bug, a missing feature
> or my very own personal incompetence, asking the mailing list seemed
> reasonable for this. :-)

Yes, because we are only experts here :)

> For security purposes, dropping packets from source ports < 1024 is a good
> idea as the latter indicates successful compromise of services running on
> privileged ports. New connections are usually established from ports > 1023,
> so there is little legitimate scope for this if in doubt.

Hmm, okay. I get your point. However I am not sure if this will improve secur=
ity too much.

> When creating a firewall rule via the WebIF, it does not seem to be possible
> to limit source _and_ destination ports if a predefined service (group) is
> used - the latter one always refers to the destination port(s).

Yes, because technically that is how those services work.

A browser will always connect from a random port to port 80. There is literal=
ly no use-case to limit this to a pre-defined port. You never even know if yo=
u are having any NAT routers on the ways that will change your source port.

> As soon as a single protocol such as TCP or UDP is selected, however, a fie=
ld
> "source port" is available.
>=20
> Is this behaviour intentional? If yes, how do I limit firewall rules to
> certain source ports then? Aren't the descriptions "service" and "service g=
roup"
> misleading?

Those are only for destinations.

What we could do is limiting source ports to > 1024 by default, but I am not =
sure if that will make a noticeable difference for anyone.

-Michael

> Thanks, and best regards,
> Peter M=C3=BCller


--===============4404072889553761299==--