search cancel

Do not try to block remote ports in Linux.

book

Article ID: 162512

calendar_today

Updated On:

Products

Embedded Security Critical System Protection Critical System Protection Data Center Security Monitoring Edition Data Center Security Server Critical System Protection Client Edition Data Center Security Server Advanced

Issue/Introduction

   The local port on outgoing TCP connections on a Linux system is ignored since it typically has no valid value when the driver is processing the connect.

Cause

If a customer tries to block port 20 outbound for all IP addresses for TCP for a Linux agent and the driver sees that as:

block 0.0.0.0 port 0

On a Linux agent the driver will ignore the port as it has no valid value when the driver is processing the connect. Also the IP address is not present until the bind, what the driver sees for outbound TCP IP accept is:

0.0.0.0 port 0

As you can see this can cause issues as it will block all accepts for any port.

Resolution

Do not use an IPS policy to block outbound remote ports on a Linux agent. If you do not have an over lap in your ports for the behavior you are trying to block you can block the inbound connection locally on the host that is running the service, instead of the outbound connection on the client side.