Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
renegad
Explorer

how to block tcp traffic which has source port number from 1 to 1024

Hi, I would like to ask for best way to block all incomming traffic which has tcp source port in range from 1 to 1024 and destination port is any on external interface? Source IP is any, destination IP can be SG public IP. Thank you

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You’d have to create a service of type Other to o that, which allows you to enter in an INSPECT expression.
Some samples of INSPECT syntax are in point 7 here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I believe the correct expression would be: tcp, sport<=1024

That said, last I checked, INSPECT services disable SecureXL templates at that rule and for all rules below.
However, that may not be the case in R80.20 and above.
Meaning: this has a potential performance impact.

0 Kudos
Timothy_Hall
Champion
Champion

Pretty sure using the source port as a matching criteria will disable rule templating even in the latest releases, as SecureXL is not able to mask/ignore the source port for accept template calculations.  Services specifying custom INSPECT code are also very likely to have all their traffic handled in F2F/slowpath, although I haven't checked for this in the latest releases and it may be possible to reinject that traffic back into SecureXL after the initial rule matching in F2F is complete.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
_Val_
Admin
Admin

Second that. 

0 Kudos
Bob_Zimmerman
Advisor

You shouldn't need to use INSPECT. I just tried this:

[Expert@LabSC:0]# mgmt_cli -r true login > session.txt
[Expert@LabSC:0]# mgmt_cli -s session.txt --format json add service-tcp name lowSources source-port 1-1024 port 1-65535
{
  "uid" : "ab4ec7b3-cffe-4b5b-9fa1-77b6ac8fe65a",
  "name" : "lowSources",
  "type" : "service-tcp",
  "domain" : {...},
  "port" : "1-65535",
  "source-port" : "1-1024",
  "match-by-protocol-signature" : false,
  "override-default-settings" : false,
  "session-timeout" : 3600,
  "use-default-session-timeout" : true,
  "match-for-any" : false,
  "sync-connections-on-cluster" : true,
  "aggressive-aging" : {...},
  "keep-connections-open-after-policy-installation" : false,
  "groups" : [ ],
  "comments" : "",
  "color" : "black",
  "icon" : "Services/TCPService",
  "tags" : [ ],
  "meta-info" : {...},
  "read-only" : true
}

Then you add a rule for that service telling the firewall to drop traffic which matches it.

The SecureXL concerns are still present, but at least it's not an especially unusual service object.

PhoneBoy
Admin
Admin

Probably a better way to do it actually.

0 Kudos