On Wed, May 04, 2022 at 09:48:52AM +0200, Carsten Bormann wrote: > On 4. May 2022, at 08:53, Willy Tarreau <[email protected]> wrote: > > > > [...] This has > > contributed to making active FTP unpopular, and nowadays it has become > > safe to block SYN from sources < 1024 at the edge. UDP doesn't have such > > a thing as a SYN flag and it's critical that traffic cannot be made > > symmetrical, or there's no more infrastructure filtering and only > > application level filtering. > > Instead of collecting wafting lists of undesirable ports, would it make sense > to more architecturally partition port numbers between those used by servers > and those used by clients?
That's the point, and that has been done for more than 40 years now by having unprivileged users only select ports >= 1024, resulting in the range 1024:65535 being commonly used as the only valid source range for incoming connections. > Outside of specific applications (that could do with specific port number > lists), we used to use ephemeral ports for clients, but not for servers. Ephemeral ports also exist for passive FTP servers: the server binds to a random port and advertises that port to the client which then connects to it. But that's a marginal use case, as in general you want a server to run on a well-known, or at least easily discoverable port. > If servers predominantly reflect on their server ports, and server ports > don't reach victim server ports, that would be a win. Yes, that's the point, and on TCP you will rarely find a firewall that lets you establish a connection to a port 80/443 from a similar port, precisely due to the principle above that regular clients are not supposed to use more than 1024:65535. Regards, Willy
