Firewalling port 0
-
Adding a rule with custom port 0 or a range that starts with port 0 silently changes the port to any (removes the port from the rule so that it applies to any port). If you are not paying attention you now have created a rule that for example blocks all traffic instead of just port 0 (or range 0 - 1024).
I believe there should be at least a warning that port 0 is an invalid port or doesn't apply to freebsd, etc. Or maybe change it to port 1, or maybe fail to create the rule with an error.
-
Probably should fail form validation. But this is in the default rule set:
We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0"
block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0"
block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0"
block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0" -
OpenVPN runs ok on port 0. So why would port 0 be invalid?
-
OpenVPN does not run on port 0, when you tell it port 0 it uses a random ephemeral port. It's not valid to use port 0 for anything, it isn't a legit port.
It's probably a quirk of PHP's 0 handling that makes it set that as "any". It's always worked that way. Probably ought to be rejected by input validation.
-
For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it… -
For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
Have you actually run a trace to confirm this?
http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0
-
@KOM:
Have you actually run a trace to confirm this?
http://unix.stackexchange.com/questions/180492/is-it-possible-to-connect-to-tcp-port-0
True, but Ares Galaxy is software for Windows, i.e. I heard about linux port but confusion about port 0 was with Windows p2p users.
-
For example Ares Galaxy is using port 0 and UDP protocol. Many firewalls have problems with blocking this.
Maybe it's not valid to use port 0 for anything as cmb states, but there is software that uses it…That's a bug in Ares Galaxy. It sounds like a bug in a Windows port of *nix code. Port 0 on *nix becomes a random ephemeral port, maybe in that context in Windows it wrongly uses port 0 instead. Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.
-
@cmb:
[…]Yes, "many firewalls" will block it, but it's not a problem with the firewalls, it's that the application is broken.
The problem is not that way :) When I had problems with users using Ares Galaxy (almost ten years ago) solutions I have used can't block that p2p software. This software very quickly exhaust available bandwidth.
