To be clear, UDP port 0 is not and probably shouldn't be blocked because some network gear and reporting tools may mistake a fragmented UDP PDU for port 0. That's an implementation error, but one that may be common enough to create issues for users. Blocking inbound TCP port 0 is something that I've personally done in dozens of ISP networks over more than a decade without a single reported issue.
Scott Helms On Tue, Aug 25, 2020 at 7:39 PM narhiro <[email protected]> wrote: > > > > "Port 0 is a reserved port, which means it should not be used by > > applications. Network abuse has prompted the need to block this port." > > > > "What about UDP IP fragmentation?" > > > > I'm not sure I follow this. The IP packet will be fragmented with UDP > > inside it. When the IP packet gets put together the UDP PDU will have > > a port number. It's possible that some packet analyzers or network > > gear will improperly "see" a partial UDP flow as port 0 but that's a > > mischaracterization of the flow. > > > > > > Scott Helms > > > > Scott Helms > > > > > > > >>> On Tue, Aug 25, 2020 at 8:17 AM Job Snijders <[email protected]> wrote: > >>> > >>>> On Tue, Aug 25, 2020 at 07:27:33AM -0400, K. Scott Helms wrote: > >>> I think a fairly easy thing to do is see what other large retail ISPs > >>> have done. Comcast, as an example, lists all of the ports they block > >>> and 0 is blocked. I do recommend that port 0 be blocked by all of the > >>> ISPs I work with and frankly Comcast's list is a pretty good one to > >>> use in general, though you will get some pushback on things like SMTP. > >>> https://www.xfinity.com/support/articles/list-of-blocked-ports > >> > >> I may be reading the table incorrectly, but it seems to me Comcast is > >> *not* blocking UDP port 0 according to the above URL? > >> > >>> Transit providers are a little bit different, but then again port 0 is > >>> also different since AFAIK it's never had a legitimate use case. It's > >>> always been a reserved port. I'd personally block it if I ran a > >>> transit, but I'd be more willing to open it up for one of my large > >>> customers (in a limited way) than I would on the retail side. > >>> https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml > >> > >> What about UDP IP fragmentation? > >> > >> Kind regards, > >> > >> Job
