From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Firewall rules with predefined service groups for both source and destination? Date: Sun, 26 Jan 2020 20:43:39 +0000 Message-ID: In-Reply-To: <6d8b7439-f584-eb4a-9b87-078d0b1af0c1@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2641457624513764361==" List-Id: --===============2641457624513764361== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 25 Jan 2020, at 16:41, Peter M=C3=BCller wr= ote: >=20 > Hello Michael, >=20 >> Hi, >>=20 >>> On 21 Jan 2020, at 18:22, Peter M=C3=BCller = wrote: >>>=20 >>> Hello *, >>>=20 >>> since I am not sure whether I am dealing with a bug, a missing feature >>> or my very own personal incompetence, asking the mailing list seemed >>> reasonable for this. :-) >>=20 >> Yes, because we are only experts here :) >>=20 >>> For security purposes, dropping packets from source ports < 1024 is a good >>> idea as the latter indicates successful compromise of services running on >>> privileged ports. New connections are usually established from ports > 10= 23, >>> so there is little legitimate scope for this if in doubt. >>=20 >> Hmm, okay. I get your point. However I am not sure if this will improve se= curity too much. >=20 > Probably not as an attacker could always open a new connection using some p= ort >> 1023 if he/she/it already controls a machine. However, it raises the bar - > and some Emerging Threat signatures cover the same anomaly ("GPL MISC sourc= e port 53 to <1024" > and "GPL MISC Source Port 20 to <1024"). >=20 > But yes, this certainly is not a silver bullet. >=20 >>=20 >>> When creating a firewall rule via the WebIF, it does not seem to be possi= ble >>> to limit source _and_ destination ports if a predefined service (group) is >>> used - the latter one always refers to the destination port(s). >>=20 >> Yes, because technically that is how those services work. >>=20 >> A browser will always connect from a random port to port 80. There is lite= rally no use-case to limit this to a pre-defined port. You never even know if= you are having any NAT routers on the ways that will change your source port. >>=20 >>> As soon as a single protocol such as TCP or UDP is selected, however, a f= ield >>> "source port" is available. >>>=20 >>> Is this behaviour intentional? If yes, how do I limit firewall rules to >>> certain source ports then? Aren't the descriptions "service" and "service= group" >>> misleading? >>=20 >> Those are only for destinations. >=20 > Glad to have this clarified. >=20 >>=20 >> What we could do is limiting source ports to > 1024 by default, but I am n= ot sure if that will make a noticeable difference for anyone. >=20 > Good idea. I guess some services may need source ports < 1024 (e.g. IPsec),= but adding > some switch saying "accept connections from high ports only" might be suita= ble for this. IKEv1 does this, but you are not guaranteed that you will reach the other end= without passing through a NAT gateway which randomises the source port. I think it might be worth a try, but we will make the firewall less efficient= by making it check the source as well. > Thanks, and best regards, > Peter M=C3=BCller --===============2641457624513764361==--