Can the cloud firewall block source ports instead of destination ports?
I've been having an issue with NTP (UDP port 123) reflection attacks. I want to block all traffic from UDP port 123 (and some others), but the Cloud Firewall interface seems to only allow blocking destination ports.
If Cloud Firewall doesn't support this, is there any Linode product that does? It seems like a very odd oversight for a firewall not to be able to block on the basis of origin ports, given the prevalence of reflection-based DDoSes.
2 Replies
watrick
Linode Staff
Yes - Cloud Firewalls can set rules for both inbound and outbound connections. Our Getting Started with Cloud Firewalls guide is a good place to start with getting familiar with that service. As for how to set up a Cloud Firewall's rules, that's covered in our Manage Firewall Rules guide.
Hi, the issue isn't inbound vs outbound, it's source port vs destination port.
All connections (whether inbound or outbound) have both source and destination ports. For example, when your browser connects to port 443, it first binds to a random local port at your end. The connection is then ClientIP:RandomPort to ServerIP:443.
Inbound firewall rules apply to the port on my Linode (where the connection is to) whereas I want to filter based on the remote port (where the connection is from, in this case port 123 aka NTP). NTP servers are commonly abused to perform reflection DDoS attacks, and they will always send data from port 123.
Outbound rules won't help here, as the data is inbound from the remote NTP servers being used to mount the attack.
The equivalent of what I want in iptables would be:
iptables -A INPUT -p udp --sport 123 -j DROP
However, this loses the main advantage that Cloud Firewall has - that when using it, traffic never reaches the Linode in the first place.