TCP port 0 matches Gateway Firewall rules despite the rule not being configured with TCP Port 0
search cancel

TCP port 0 matches Gateway Firewall rules despite the rule not being configured with TCP Port 0

book

Article ID: 374245

calendar_today

Updated On: 12-09-2024

Products

VMware NSX Firewall VMware vDefend Firewall VMware NSX

Issue/Introduction

GFW is not blocking connections in port TCP 0, any rule that does not include TCP 0 as their criteria will be permitted, while other connections that use any different port than TCP 0 will be blocked.

Rule matching logic is same for firewall and NAT.

The issue has been reproduced in a lab with the same rule conditions, then with a VM sending an openssl query using port TCP 0 we confirmed that the connection was allowed.

Firewall Interface:

root@nsx-edge-xxxx:/var/log# su admin -c get firewall interfaces
Tue Jul 30 2024 UTC 19:40:25.037
Interface : xxxxxxxxx
Type : UPLINK
Sync enabled : true
Name : xxxxxx
VRF ID : 2
Context entity : xxxxxxxxxx
Context name : xxxxx


Rule info:

root@nsx-edge-xxxx:/var/log# su admin -c get firewall xxxxxxxxxxxxxxxxx ruleset rules
Tue Jul 30 2024 UTC 19:41:23.808
DNAT rule count: 0

SNAT rule count: 0

Firewall rule count: 3
Rule ID : 5100
Rule : inout protocol tcp from any to addrset {x.x.x.x, x.x.x.x, x.x.x.x} port 443 accept with log <------- Should only be matched with HTTPS (TCP 443) packets

Rule ID : 5101
Rule : inout protocol any from any to addrset {x.x.x.x, x.x.x.x, x.x.x.x} accept with log tag 'DENY'

Rule ID : 1012
Rule : inout protocol any from any to any accept

 

Source VM:

root@xxxxxxxx:/etc/netplan# ifconfig

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet x.x.x.x netmask x.x.x.x broadcast x.x.x.x
inet6 xxx:xxx:xxx:xxx prefixlen 64 scopeid 0x20<link>
ether xxx:xxx:xxx:xxxx txqueuelen 1000 (Ethernet)
RX packets 84125314 bytes 5369827492 (5.3 GB)
RX errors 0 dropped 7727107 overruns 0 frame 0
TX packets 947 bytes 66519 (66.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

 


Using openssl on source VM to generate connection:

root@xxxxxx:/etc/netplan# openssl s_client -connect x.x.x.x:0

 


Edge Firewall packet log shows the traffic matches the rule:

2024-07-30T19:38:57.959Z nsx-edge-xxxx NSX 8469 FIREWALL [nsx@xxxx comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <2 xxxxxxxxxxxxx:xxxxxxxxxxxxx> INET reason-match PASS 5100 IN 60 TCP x.x.x.x/58724->x.x.x.x/0 S

Environment

VMware NSX

Cause

Engineering has identified a defect in the Gateway Firewall

Resolution

The issue will be solved in 4.2.1

Powered by Wolken Software