Hi,
On 21 Jan 2020, at 18:22, Peter Müller peter.mueller@ipfire.org wrote:
Hello *,
since I am not sure whether I am dealing with a bug, a missing feature or my very own personal incompetence, asking the mailing list seemed reasonable for this. :-)
Yes, because we are only experts here :)
For security purposes, dropping packets from source ports < 1024 is a good idea as the latter indicates successful compromise of services running on privileged ports. New connections are usually established from ports > 1023, so there is little legitimate scope for this if in doubt.
Hmm, okay. I get your point. However I am not sure if this will improve security too much.
When creating a firewall rule via the WebIF, it does not seem to be possible to limit source _and_ destination ports if a predefined service (group) is used - the latter one always refers to the destination port(s).
Yes, because technically that is how those services work.
A browser will always connect from a random port to port 80. There is literally no use-case to limit this to a pre-defined port. You never even know if you are having any NAT routers on the ways that will change your source port.
As soon as a single protocol such as TCP or UDP is selected, however, a field "source port" is available.
Is this behaviour intentional? If yes, how do I limit firewall rules to certain source ports then? Aren't the descriptions "service" and "service group" misleading?
Those are only for destinations.
What we could do is limiting source ports to > 1024 by default, but I am not sure if that will make a noticeable difference for anyone.
-Michael
Thanks, and best regards, Peter Müller