From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Firewall rules with predefined service groups for both source and
 destination?
Date: Sun, 26 Jan 2020 20:43:39 +0000
Message-ID: <C7287DB8-4F7E-45E2-AED6-A2E79D6799E8@ipfire.org>
In-Reply-To: <6d8b7439-f584-eb4a-9b87-078d0b1af0c1@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2641457624513764361=="
List-Id: <development.lists.ipfire.org>

--===============2641457624513764361==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

> On 25 Jan 2020, at 16:41, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Hello Michael,
>=20
>> Hi,
>>=20
>>> On 21 Jan 2020, at 18:22, Peter M=C3=BCller <peter.mueller(a)ipfire.org> =
wrote:
>>>=20
>>> Hello *,
>>>=20
>>> since I am not sure whether I am dealing with a bug, a missing feature
>>> or my very own personal incompetence, asking the mailing list seemed
>>> reasonable for this. :-)
>>=20
>> Yes, because we are only experts here :)
>>=20
>>> For security purposes, dropping packets from source ports < 1024 is a good
>>> idea as the latter indicates successful compromise of services running on
>>> privileged ports. New connections are usually established from ports > 10=
23,
>>> so there is little legitimate scope for this if in doubt.
>>=20
>> Hmm, okay. I get your point. However I am not sure if this will improve se=
curity too much.
>=20
> Probably not as an attacker could always open a new connection using some p=
ort
>> 1023 if he/she/it already controls a machine. However, it raises the bar -
> and some Emerging Threat signatures cover the same anomaly ("GPL MISC sourc=
e port 53 to <1024"
> and "GPL MISC Source Port 20 to <1024").
>=20
> But yes, this certainly is not a silver bullet.
>=20
>>=20
>>> When creating a firewall rule via the WebIF, it does not seem to be possi=
ble
>>> to limit source _and_ destination ports if a predefined service (group) is
>>> used - the latter one always refers to the destination port(s).
>>=20
>> Yes, because technically that is how those services work.
>>=20
>> A browser will always connect from a random port to port 80. There is lite=
rally no use-case to limit this to a pre-defined port. You never even know if=
 you are having any NAT routers on the ways that will change your source port.
>>=20
>>> As soon as a single protocol such as TCP or UDP is selected, however, a f=
ield
>>> "source port" is available.
>>>=20
>>> Is this behaviour intentional? If yes, how do I limit firewall rules to
>>> certain source ports then? Aren't the descriptions "service" and "service=
 group"
>>> misleading?
>>=20
>> Those are only for destinations.
>=20
> Glad to have this clarified.
>=20
>>=20
>> What we could do is limiting source ports to > 1024 by default, but I am n=
ot sure if that will make a noticeable difference for anyone.
>=20
> Good idea. I guess some services may need source ports < 1024 (e.g. IPsec),=
 but adding
> some switch saying "accept connections from high ports only" might be suita=
ble for this.

IKEv1 does this, but you are not guaranteed that you will reach the other end=
 without passing through a NAT gateway which randomises the source port.

I think it might be worth a try, but we will make the firewall less efficient=
 by making it check the source as well.

> Thanks, and best regards,
> Peter M=C3=BCller


--===============2641457624513764361==--