• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Firewalling port 0

Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
9 Posts 6 Posters 3.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    iamzam
    last edited by Mar 20, 2016, 5:56 PM

    Adding a rule with custom port 0 or a range that starts with port 0 silently changes the port to any (removes the port from the rule so that it applies to any port).  If you are not paying attention you now have created a rule that for example blocks all traffic instead of just port 0 (or range 0 - 1024).

    I believe there should be at least a warning that port 0 is an invalid port or doesn't apply to freebsd, etc.  Or maybe change it to port 1, or maybe fail to create the rule with an error.

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Mar 20, 2016, 11:42 PM

      Probably should fail form validation. But this is in the default rule set:

      We use the mighty pf, we cannot be fooled.

      block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0"
      block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0"
      block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0"
      block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0"

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • P
        Perforado Rebel Alliance
        last edited by Mar 21, 2016, 2:38 PM

        OpenVPN runs ok on port 0. So why would port 0 be invalid?

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by Mar 21, 2016, 8:23 PM

          OpenVPN does not run on port 0, when you tell it port 0 it uses a random ephemeral port. It's not valid to use port 0 for anything, it isn't a legit port.

          It's probably a quirk of PHP's 0 handling that makes it set that as "any". It's always worked that way. Probably ought to be rejected by input validation.

          1 Reply Last reply Reply Quote 0
          • 0
            0rion
            last edited by Mar 24, 2016, 7:55 PM

            For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
            Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…

            1 Reply Last reply Reply Quote 0
            • K
              KOM
              last edited by Mar 24, 2016, 8:36 PM

              For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.

              Have you actually run a trace to confirm this?

              http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0

              1 Reply Last reply Reply Quote 0
              • 0
                0rion
                last edited by Mar 24, 2016, 9:18 PM

                @KOM:

                Have you actually run a trace to confirm this?

                http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0

                True, but Ares Galaxy is software for Windows, i.e. I heard about linux port but confusion about port 0 was with Windows p2p users.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by Mar 24, 2016, 9:39 PM

                  @0rion:

                  For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
                  Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…

                  That's a bug in Ares Galaxy. It sounds like a bug in a Windows port of *nix code. Port 0 on *nix becomes a random ephemeral port, maybe in that context in Windows it wrongly uses port 0 instead. Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.

                  1 Reply Last reply Reply Quote 0
                  • 0
                    0rion
                    last edited by Mar 26, 2016, 7:41 AM

                    @cmb:

                    […]Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.

                    The problem is not that way :) When I had problems with users using Ares Galaxy (almost ten years ago) solutions I have used can't block that p2p software. This software very quickly exhaust available bandwidth.

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received