Re: Blocking packets from suspicious ports

[Willy Tarreau <w@1wt.eu>]

On Wed, May 04, 2022 at 09:48:52AM +0200, Carsten Bormann wrote:
> On 4. May 2022, at 08:53, Willy Tarreau <w@1wt.eu> wrote:
> > 
> > [...] This has
> > contributed to making active FTP unpopular, and nowadays it has become
> > safe to block SYN from sources < 1024 at the edge. UDP doesn't have such
> > a thing as a SYN flag and it's critical that traffic cannot be made
> > symmetrical, or there's no more infrastructure filtering and only
> > application level filtering.
> 
> Instead of collecting wafting lists of undesirable ports, would it make sense
> to more architecturally partition port numbers between those used by servers
> and those used by clients?

That's the point, and that has been done for more than 40 years now
by having unprivileged users only select ports >= 1024, resulting in
the range 1024:65535 being commonly used as the only valid source
range for incoming connections.

> Outside of specific applications (that could do with specific port number
> lists), we used to use ephemeral ports for clients, but not for servers.

Ephemeral ports also exist for passive FTP servers: the server binds to a
random port and advertises that port to the client which then connects to
it. But that's a marginal use case, as in general you want a server to run
on a well-known, or at least easily discoverable port.

> If servers predominantly reflect on their server ports, and server ports
> don't reach victim server ports, that would be a win.

Yes, that's the point, and on TCP you will rarely find a firewall that
lets you establish a connection to a port 80/443 from a similar port,
precisely due to the principle above that regular clients are not
supposed to use more than 1024:65535.

Regards,
Willy