Firewalling port 0

iamzam · Mar 20, 2016, 5:56 PM

Adding a rule with custom port 0 or a range that starts with port 0 silently changes the port to any (removes the port from the rule so that it applies to any port). If you are not paying attention you now have created a rule that for example blocks all traffic instead of just port 0 (or range 0 - 1024).

I believe there should be at least a warning that port 0 is an invalid port or doesn't apply to freebsd, etc. Or maybe change it to port 1, or maybe fail to create the rule with an error.

Derelict · Mar 20, 2016, 11:42 PM

Probably should fail form validation. But this is in the default rule set:

We use the mighty pf, we cannot be fooled.

block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0"
block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0"
block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0"
block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0"

Perforado · Mar 21, 2016, 2:38 PM

OpenVPN runs ok on port 0. So why would port 0 be invalid?

cmb · Mar 21, 2016, 8:23 PM

OpenVPN does not run on port 0, when you tell it port 0 it uses a random ephemeral port. It's not valid to use port 0 for anything, it isn't a legit port.

It's probably a quirk of PHP's 0 handling that makes it set that as "any". It's always worked that way. Probably ought to be rejected by input validation.

0rion · Mar 24, 2016, 7:55 PM

For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…

KOM · Mar 24, 2016, 8:36 PM

For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.

Have you actually run a trace to confirm this?

http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0

0rion · Mar 24, 2016, 9:18 PM

@KOM:

Have you actually run a trace to confirm this?

http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0

True, but Ares Galaxy is software for Windows, i.e. I heard about linux port but confusion about port 0 was with Windows p2p users.

cmb · Mar 24, 2016, 9:39 PM

@0rion:

For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…

That's a bug in Ares Galaxy. It sounds like a bug in a Windows port of *nix code. Port 0 on *nix becomes a random ephemeral port, maybe in that context in Windows it wrongly uses port 0 instead. Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.

0rion · Mar 26, 2016, 7:41 AM

@cmb:

[…]Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.

The problem is not that way :) When I had problems with users using Ares Galaxy (almost ten years ago) solutions I have used can't block that p2p software. This software very quickly exhaust available bandwidth.