开发者

Remote port blocking in firewalls?

some guys use a firewall on their laptops which not only blocks their own 开发者_StackOverflow社区local incoming ports (except those they need for their application) but also blocks messages unless they are issued from a distinct port number. We're talking about a local UDP server which is listening to UDP broadcasts. The problem is that the remote client uses a random port, say 1024, which is blocked unless they tell the firewall to accept it.

What puzzles me is that as far as I know from using sockets in my programs is that usually the client gets its port number from the OS, whereas only when you have a server, you bind your socket to a distinct port, right?

In my literature and in tutorials and code snippets in the web I haven't found any clue that clients should be using fixed port numbers at all.

So how is this in reality? Am I probably missing a point? Are there client applications around using fixed ports? Is is actually useful to block remote ports with a firewall? And if yes, what level of added security does this give to you?

Thanks for enlightenment in beforehand...


Although the default API's allow the network stack to select a local port for client connections, clients may specify a fixed port for various reasons.

  • Some specifications (FTP) specify a fixed port for clients. Most servers don't care if clients get this correct.
  • Some clients use a fixed pool of ports for egress from a LAN to the Internet. This allows firewall rules to more completely lock down outbound traffic.
  • Source ports are sometimes uses as a weak type of "security through obscurity".


You always get a random address and/or port when not explicitly having bound to one before sending.

Daemons are usually bound to a fixed port, so that:

  • you can actually contact them without having to try all possible ports or utilize a secondary resolver (remember the SUNRPC portmapping crap?)
  • and because a TCP socket is not allowed to listen() if it has not bound to a port, IIRC.

Are there client applications around using fixed ports?

Some can be configured so, like BIND9.

useful to block remote ports with a firewall?

No, because your peer may choose any port of his. Block him and you'll lose a customer, so to speak.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜