Score:-1

Transport layer port and firewall

in flag

When a communication is initiate the OS chooses randomly a port number greater than 1023. As long as it does not conflict with other ports in use on the system at that moment. I wonder how the firewall knows about this port? Or a firewall rule should always allow any port from the inside LAN?

Thanks.

Score:0
cn flag
Bob

When a communication is initiate the OS chooses randomly a port number greater than 1023.

The OS assigns a random source port, usually called an ephemeral port, outside of the reserved port range. By convention that reserved port range is set to the first 1024 ports, but that is adjustable. At least on Linux with which I'm most familiar.

Additionally Linux has a kernel tuneable to further control from which port range the ephemeral port is selected: sysctl net.ipv4.ip_local_port_range.

Windows has similar controls to govern ephemeral port ranges and I imagine other OS's do as well.

I wonder how the firewall knows about this port?

It doesn't.

That's why generally firewall rules do not include source ports. Firewall rules are usually only based on one or more of:

  • Source IP-address/range
  • Destination IP-address/range
  • Destination port number(s)
  • Protocol

Only when the client does not use an ephemeral port for client-server connections, but a fixed one, will it make sense to use the source port in rules. (NTP comes to mind.)

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.