12277 – Using predefined service (groups) as firewall rule source port is impossible

Bug 12277 - Using predefined service (groups) as firewall rule source port is impossible

Summary: Using predefined service (groups) as firewall rule source port is impossible

Status:	NEW

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	all All

Importance:	Will affect an average number of users Major Usability
Assignee:	Stefan Schantl
QA Contact:	Peter Müller

URL:
Keywords:

Depends on:
Blocks:	FWBUGS
	Show dependency tree / graph

Reported:	2020-01-22 21:19 UTC by Peter Müller
Modified:	2021-07-16 18:29 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Müller 2020-01-22 21:19:18 UTC

As described in https://lists.ipfire.org/pipermail/development/2020-January/006883.html , it is not possible to create a firewall rule in the WUI with both source and destination port limited to a predefined service or service group.

Since limiting source ports to values > 1023 is a common (and primitive) technique to detect/block traffic from compromised services running on privileged ports, this is a major usability.

Suprisingly, nobody seemed to notice it until today.