AWS/NACL : Why the need to set ephemeral ports range for outbound rules

Reminder of NACL definition:

NACL : Network access control list is a set of inbound/outbound trafic rules ,related to an end-client (for the outbound ports), which can be associated to one on multiple subnets. It is basically a firewall.

The “related to an end-client” is why we need to set ephemeral ports range. Let me explain.

Considering the following, use case:

And the following NACL rules attached to the Linkedin Web server. (In the AWS world, the linkedin web server is an EC2 in a public subnet and the NACL is attached to the subnet and not to the instance. Indeed, only a security group can directly be attached to an EC2 instance) .

Important n.b : In Outbound rules, the port Range correspond to end-client ports (Didier’s computer in our example). For Inbound rules, the port Range correspond to the Linkedin Web server ports.

Inbound rules

Outbound rules

1. Didier (a paid actor) want to access the Linkedin web page.
2. To do so, he goes on its browser application (chrome, opera, explorer, edge …) and search for https://linkedin.com in the search bar.
3. In the background the dns server translate the domain name linkedin.com into an IP address 35.158.99.37, which is actually the IP of the linkedin web server. Then, Didier’s computer OS (windows, linux, MacOs) decide of a random ephemeral port (38091) for the communication with the Linkedin web server. (click here for more detail on the attribution of the ephemeral port). Then the packet containing the request is sent with the following parameters:

• source_ip (132.118.160.182): IP of Didier’s computer.
• destination_ip (35.158.99.37): IP of Linkedin Web server resolved by the dns server.
• source_port (38091): The ephemeral port opened by Didier’s computer to send and RECEIVE packets from Linkedin Web server. Once the communication is terminated, the port will be closed, it is why it is called ephemeral.
• destination_port (443): The port used by the Linkedin Web server to listen and send packet with https protocol.

4. NACL inbound rules check if the incoming packet and its parameters have access to the Linkedin web server (to the subnet where the web server belong).

• The source IP (Didier’s computer, the end-client) is checked: 132.118.160.182 match 0.0.0.0:0, because 0.0.0.0:0 means all IPs.
• The port the packet is trying to access (destination_port in third step on our schema) is checked: 443 match 443.
• IP and Port are verified, the packet will be able to reach Linkedin web server which is listening on port 443 and port 80 (https and http)

5. The Linkedin web server treats the request send by Didier’s computer and prepare a response packet with the following parameters:

• source_ip (35.158.99.37): IP of Linkedin Web server resolved by the dns server.
• destination_ip (132.118.160.182): IP of Didier’s computer.
• source_port (443): The port used by the Linkedin Web server to listen and send packet with https protocol.
• destination_port (38091): The ephemeral port opened by Didier’s computer to send and RECEIVE packets from Linkedin Web server. The port was retrieved from the incoming packet send by Didier’s computer which specify on which port it want to communicate with the Linkedin web server.

6. NACL outbound rules check if the outgoing packet and its parameters are allowed to leave the Linkedin web server and reach the destination IP on the correct port number.

• No problem for the Ip, as 0.0.0.0/0 means packet can be sent to whatever Ip address. NOW IS THE INTERESTING POINT: regarding the port, the NACL accept port from 1024 to 65535. Here a ranged is specify because, when the NACL rules are static (not dynamic), the port opened by Didier’s computer to communicate with the Linkedin web server is dynamic. By dynamic I mean, it is attributed when the request is established. Once the connection is over, the port number is vacated and another application can use it. And if, the Didier close and reopen the browser and try to request one more time for linkedin.com, the Os system might allocate a completely different ephemeral port (10001 for example).
• If we had only specified 443 port with 0.0.0.0/0 , the packet could not have be able to leave the Linkedin web server (AWS subnet) because, the destination port didn’t match 443.

7. The packet travel to Didier’s computer. In our example we did not specified the NACL/firewall on Didier’s computer but in reality most of computer have one.

Ephemeral port attribution:

Ephemeral port are managed by the Os of the machine.

• For mac os ephemeral ports vary from 49152 to 65535
• For windows, ports range can be set in the interval 1025 to 65535
• For most linux kernel 32768 to 60999.