topic Re: Using tcp port 0? in Network Security

Using tcp port 0?

mikearama — Mon, 11 Mar 2019 23:21:28 GMT

12 years as a firewall guy... and this is a first for me.

I have a request to allow firewall access to an app that apparently uses tcp port 0. I thought it didn't exist... but good-ol' google proved that wrong. I did find this comment: " Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications. "

Just out of curiosity, anyone implemented an acl using port 0 before? Any issues on the ASA side?

Thanks,

Mike

Using tcp port 0?

Gautam Bhagwandas — Sun, 01 Jul 2012 19:08:31 GMT

Dear Mike,

You are right. As per IANA port numbers assignment, this is a TCP port is a reserved port.

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml

Moreover, the ACL command does not permit you to define a port of 0 .

Here's a test from my lab ASA:

HTTS-R1-ASA5510-01(config)# $ host 1.1.1.1 eq 1 host 2.2.2.2 eq ?

configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol

HTTS-R1-ASA5510-01(config)# show ver

Cisco Adaptive Security Appliance Software Version 8.2(3)

I also see that a syslog message is generated in this regard:

Error Message %ASA-4-500004: Invalid transport field for protocol=protocol,

from source_address/source_port to dest_address/dest_port

Explanation This message appears when there is an invalid transport number,
in which the source or destination port number for a protocol is zero.

The protocol value is 6 for TCP and 17 for UDP and therefore a tcp or udp
packet with source or destination port 0 is a malformed request.

Recommended Action If these messages persist, contact the administrator of
the peer.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4773952

So port 0 definitely looks like a very unusual thing.

Using tcp port 0?

Gautam Bhagwandas — Sun, 01 Jul 2012 19:46:36 GMT

Just wanted to append the outputs on FWSM as well where the same limitiation exists:

VL-QN-FW002/test-ne(config)# $rmit tcp host 1.1.1.1 eq ?

configure mode commands/options:

<1-65535> Enter port number (1 - 65535)

VL-QN-FW002(config)# show ver | inc 4.0

FWSM Firewall Version 4.0(15)

The FWSM system log message ID is the same agian (500004).

This syslog message would be generated when port 0 destined traffic is already allowed through the firewall (not within an acl permitting port 0 of course but a more generic acl that does not contain the port number and permits in general ip/tcp traffic).

Re: Using tcp port 0?

pan.systems — Tue, 15 Jan 2019 11:53:03 GMT

FYI, Cisco themselves source ip sla control traffic from port 0. Yeah I know, WTF?