Firewalling port 0



  • Adding a rule with custom port 0 or a range that starts with port 0 silently changes the port to any (removes the port from the rule so that it applies to any port).  If you are not paying attention you now have created a rule that for example blocks all traffic instead of just port 0 (or range 0 - 1024).

    I believe there should be at least a warning that port 0 is an invalid port or doesn't apply to freebsd, etc.  Or maybe change it to port 1, or maybe fail to create the rule with an error.


  • LAYER 8 Netgate

    Probably should fail form validation. But this is in the default rule set:

    We use the mighty pf, we cannot be fooled.

    block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0"
    block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0"
    block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0"
    block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0"


  • Rebel Alliance

    OpenVPN runs ok on port 0. So why would port 0 be invalid?



  • OpenVPN does not run on port 0, when you tell it port 0 it uses a random ephemeral port. It's not valid to use port 0 for anything, it isn't a legit port.

    It's probably a quirk of PHP's 0 handling that makes it set that as "any". It's always worked that way. Probably ought to be rejected by input validation.



  • For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
    Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…



  • For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.

    Have you actually run a trace to confirm this?

    http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0



  • @KOM:

    Have you actually run a trace to confirm this?

    http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0

    True, but Ares Galaxy is software for Windows, i.e. I heard about linux port but confusion about port 0 was with Windows p2p users.



  • @0rion:

    For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
    Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…

    That's a bug in Ares Galaxy. It sounds like a bug in a Windows port of *nix code. Port 0 on *nix becomes a random ephemeral port, maybe in that context in Windows it wrongly uses port 0 instead. Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.



  • @cmb:

    […]Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.

    The problem is not that way :) When I had problems with users using Ares Galaxy (almost ten years ago) solutions I have used can't block that p2p software. This software very quickly exhaust available bandwidth.


Log in to reply