The local port on outgoing TCP connections on a Linux system is ignored since it typically has no valid value when the driver is processing the connect.
If a customer tries to block port 20 outbound for all IP addresses for TCP for a Linux agent and the driver sees that as:
block 0.0.0.0 port 0
On a Linux agent the driver will ignore the port as it has no valid value when the driver is processing the connect. Also the IP address is not present until the bind, what the driver sees for outbound TCP IP accept is:
0.0.0.0 port 0
As you can see this can cause issues as it will block all accepts for any port.
Do not use an IPS policy to block outbound remote ports on a Linux agent. If you do not have an over lap in your ports for the behavior you are trying to block you can block the inbound connection locally on the host that is running the service, instead of the outbound connection on the client side.
Subscribing will provide email updates when this Article is updated. Login is required.