topic how to block tcp traffic which has source port number from 1 to 1024 in Firewall and Security Management

how to block tcp traffic which has source port number from 1 to 1024

renegad — Mon, 27 Sep 2021 13:20:04 GMT

Hi, I would like to ask for best way to block all incomming traffic which has tcp source port in range from 1 to 1024 and destination port is any on external interface? Source IP is any, destination IP can be SG public IP. Thank you

Re: how to block tcp traffic which has source port number from 1 to 1024

PhoneBoy — Tue, 28 Sep 2021 15:36:49 GMT

You’d have to create a service of type Other to o that, which allows you to enter in an INSPECT expression.
Some samples of INSPECT syntax are in point 7 here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30583&partition=Basic&product=Cluster
I believe the correct expression would be: tcp, sport<=1024

That said, last I checked, INSPECT services disable SecureXL templates at that rule and for all rules below.
However, that may not be the case in R80.20 and above.
Meaning: this has a potential performance impact.

Re: how to block tcp traffic which has source port number from 1 to 1024

Timothy_Hall — Wed, 29 Sep 2021 11:57:44 GMT

Pretty sure using the source port as a matching criteria will disable rule templating even in the latest releases, as SecureXL is not able to mask/ignore the source port for accept template calculations. Services specifying custom INSPECT code are also very likely to have all their traffic handled in F2F/slowpath, although I haven't checked for this in the latest releases and it may be possible to reinject that traffic back into SecureXL after the initial rule matching in F2F is complete.

Re: how to block tcp traffic which has source port number from 1 to 1024

_Val_ — Wed, 29 Sep 2021 11:59:13 GMT

Second that.

Re: how to block tcp traffic which has source port number from 1 to 1024

Bob_Zimmerman — Wed, 29 Sep 2021 13:46:52 GMT

You shouldn't need to use INSPECT. I just tried this:

[Expert@LabSC:0]# mgmt_cli -r true login > session.txt [Expert@LabSC:0]# mgmt_cli -s session.txt --format json add service-tcp name lowSources source-port 1-1024 port 1-65535 { "uid" : "ab4ec7b3-cffe-4b5b-9fa1-77b6ac8fe65a", "name" : "lowSources", "type" : "service-tcp", "domain" : {...}, "port" : "1-65535", "source-port" : "1-1024", "match-by-protocol-signature" : false, "override-default-settings" : false, "session-timeout" : 3600, "use-default-session-timeout" : true, "match-for-any" : false, "sync-connections-on-cluster" : true, "aggressive-aging" : {...}, "keep-connections-open-after-policy-installation" : false, "groups" : [ ], "comments" : "", "color" : "black", "icon" : "Services/TCPService", "tags" : [ ], "meta-info" : {...}, "read-only" : true }

Then you add a rule for that service telling the firewall to drop traffic which matches it.

The SecureXL concerns are still present, but at least it's not an especially unusual service object.

Re: how to block tcp traffic which has source port number from 1 to 1024

PhoneBoy — Wed, 29 Sep 2021 14:58:33 GMT

Probably a better way to do it actually.