Certified Security - Specialty

Sign Up Free or Log In to participate!

Epheremeral ports in NACL?

Some please explain Epheremeral ports in NACL. what it is used for again? listening? say we have an outbound rule for https/http etc through their own ports(443,80 etc) then do we allow inbound rule through the same port or any ephemeral port?

1 Answers

So when your client (in AWS) connects to a webserver on the internet, you typically think about connecting to the webserver’s port 80/443. But there is also a port on your client machine that is used, and that port is an ephemeral port. It’s used to receive any response from the webserver. So if your NACL doesn’t allow inbound ephemeral ports, the problem you’ll run into is that you cannot communicate with the webserver, because the port will be blocked inbound to your client, and you won’t be able to receive any traffic. Remember that NACLs are stateless firewalls, so it doesn’t keep track of communications and the ports used for that communication.

Security Groups are stateful firewalls and actually use case is slightly different, because they specify what ports you are listening to as a server (ie someone on the internet is initiating the call to you).

In your example the NACL allows outbound 443 and 80, which means you can initiate a call from your client to an external server on those ports, so yes, you need to also allow inbound ephemeral ports because you’re the client and using the ephemeral ports to receive traffic (ie response data) back.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?