Bug 12277 - Using predefined service (groups) as firewall rule source port is impossible
Summary: Using predefined service (groups) as firewall rule source port is impossible
Status: NEW
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all All
: Will affect an average number of users Major Usability
Assignee: Stefan Schantl
QA Contact: Peter Müller
URL:
Keywords:
Depends on:
Blocks: FWBUGS
  Show dependency treegraph
 
Reported: 2020-01-22 21:19 UTC by Peter Müller
Modified: 2021-07-16 18:29 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Müller 2020-01-22 21:19:18 UTC
As described in https://lists.ipfire.org/pipermail/development/2020-January/006883.html , it is not possible to create a firewall rule in the WUI with both source and destination port limited to a predefined service or service group.

Since limiting source ports to values > 1023 is a common (and primitive) technique to detect/block traffic from compromised services running on privileged ports, this is a major usability.

Suprisingly, nobody seemed to notice it until today.