On 4. May 2022, at 08:53, Willy Tarreau <[email protected]> wrote: > > […] This has > contributed to making active FTP unpopular, and nowadays it has become > safe to block SYN from sources < 1024 at the edge. UDP doesn't have such > a thing as a SYN flag and it's critical that traffic cannot be made > symmetrical, or there's no more infrastructure filtering and only > application level filtering.
Instead of collecting wafting lists of undesirable ports, would it make sense to more architecturally partition port numbers between those used by servers and those used by clients? Outside of specific applications (that could do with specific port number lists), we used to use ephemeral ports for clients, but not for servers. If servers predominantly reflect on their server ports, and server ports don’t reach victim server ports, that would be a win. Grüße, Carsten
