Why is port 1024 (non-privileged) blocked by firewalld by default?

0-1023 are privileged ports, 1024 can be listened to by nc without sudo, however firewalld predefined zones block 1024 as well, why?

$ firewall-cmd --info-zone=FedoraWorkstation
  ports: 1025-65535/udp 1025-65535/tcp

As best I can tell from digging through the records, it looks like the point of that firewall rule was to allow certain services to operate without further user configuration of the firewall, not to “block the privileged ports”. Apparently the services they had in mind at the time all listened on ports strictly greater than 1024 (Rhythmbox, Rygel, RTSP streaming, etc.).

Reference (particularly the linked spreadsheet): Re: Desktop and FirewallD - desktop - Fedora Mailing-Lists

Edit: Upon closer examination, it does look like a mistake that port 1024 was not included. At least according to this documentation, the range of “ephemeral” ports (i.e. port numbers that an application could be assigned by the OS if they attempt to bind to port 0) does include 1024.

1 Like

It has always been my understanding that port 0 is not defined and that the first 1024 ports (1-1024) are the privileged ports. If you can show where port 0 is defined and used I would be interested to learn that.

I do see that things show that ports <1024 are privileged, but have never seen port 0 used for anything nor have I ever seen port 1024 used.

Binding a service to “port 0” is a special case. The OS takes requests to bind a service to port 0 to mean that it (the OS) should pick an available (non-zero) port. So, it is true that nothing will ever actually be bond/listening on that port.

1 Like

BTW, you can change what ports are designated as “privileged”. I’ve even heard it said that lowering/redefining the range of privileged ports can be a positive thing in terms of its security implications: Dear Linux, Privileged Ports Must Die – Aral Balkan

Adding to what’s already said, I think the footnote of this[1] sums it up quite well:

But IANA does refer to port 0 as “Reserved” (see here). Meaning, this port should not be used online. That makes it okay with regard to the dynamic assignment convention (since it won’t actually be used).

Though 1024 is the start of user ports, I suppose there’s no harm in blocking 1024 since it’s also reserved[2]:

Reserved port numbers include values at the edges of each range, e.g., 0, 1023, 1024, etc.

o the User Ports, also known as the Registered Ports, from 1024-49151 (assigned by IANA)

  1. Is it possible to connect to TCP port 0? ↩︎

  2. RFC 6335 - 6. Port Number Ranges ↩︎

It looks like a mistake. File a bug report to https://bugz.fedoraproject.org/firewalldif you feel strongly about it.