Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewalling port 0

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    9 Posts 6 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iamzam
      last edited by

      Adding a rule with custom port 0 or a range that starts with port 0 silently changes the port to any (removes the port from the rule so that it applies to any port).  If you are not paying attention you now have created a rule that for example blocks all traffic instead of just port 0 (or range 0 - 1024).

      I believe there should be at least a warning that port 0 is an invalid port or doesn't apply to freebsd, etc.  Or maybe change it to port 1, or maybe fail to create the rule with an error.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Probably should fail form validation. But this is in the default rule set:

        We use the mighty pf, we cannot be fooled.

        block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0"
        block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0"
        block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0"
        block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0"

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • PerforadoP
          Perforado Rebel Alliance
          last edited by

          OpenVPN runs ok on port 0. So why would port 0 be invalid?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            OpenVPN does not run on port 0, when you tell it port 0 it uses a random ephemeral port. It's not valid to use port 0 for anything, it isn't a legit port.

            It's probably a quirk of PHP's 0 handling that makes it set that as "any". It's always worked that way. Probably ought to be rejected by input validation.

            1 Reply Last reply Reply Quote 0
            • 0
              0rion
              last edited by

              For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
              Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.

                Have you actually run a trace to confirm this?

                http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0

                1 Reply Last reply Reply Quote 0
                • 0
                  0rion
                  last edited by

                  @KOM:

                  Have you actually run a trace to confirm this?

                  http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0

                  True, but Ares Galaxy is software for Windows, i.e. I heard about linux port but confusion about port 0 was with Windows p2p users.

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @0rion:

                    For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
                    Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…

                    That's a bug in Ares Galaxy. It sounds like a bug in a Windows port of *nix code. Port 0 on *nix becomes a random ephemeral port, maybe in that context in Windows it wrongly uses port 0 instead. Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.

                    1 Reply Last reply Reply Quote 0
                    • 0
                      0rion
                      last edited by

                      @cmb:

                      […]Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.

                      The problem is not that way :) When I had problems with users using Ares Galaxy (almost ten years ago) solutions I have used can't block that p2p software. This software very quickly exhaust available bandwidth.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.