How can I block traffic that is going through PORT 0?

Hi, dear Whonix team.
you are really cool and that’s why I’m sure you know what to do.
Some of windows workstations connected with whonix gateway show strange behavior - whonix gateway traffic monitoring tool shows that there are attempts to connect to some weird URL with port Zero.
Something like very-weird-looking-url:0
The firewall in windows workstations doesn’t see it and can’t block.
How can I set up the gateway firewall to block it totally.
Thanks

Some links that may be helpful
http://www.lovemytool.com/blog/2013/08/the-strange-history-of-port-0-by-jim-macleod.html

https://daniel.haxx.se/blog/2014/10/25/pretending-port-zero-is-a-normal-one/

If these weird urls are blocked in the firewall of windows workstation, it’s very strange to see in Gateway traffic monitoring tool, that there are attempts to connect to this URL via port 0.

I’ve read that port 0 is somehow connected with ICMP that can be needed, soo how can I block the traffic through port 0, without affecting the work of the applications?

Thanks. You’ve developed a great software so I believe this question is simple for you.

Whonix does IP / port redirection but no content filtering at all which
is a different thing. Knowledge in one area unfortunately doesn’t lead
to knowledge in another area.

With Windows you will keep playing whack-a-mole, meaning that you keep
finding and closing leaks but will never get anywhere near completion.

Host Operating System Selection - Whonix

So no idea. Could be sorted out as per:

Summary:

  • (On Linux and in Unix standards) Port 0 is a placeholder that tells a system to assign whatever unused port >1023 is available. There is no actual port 0 or some undefined raw socket that could let traffic slip past a firewall unnoticed.

  • It is also used by protocols like ICMP that don’t speak port numbers. The only harm is that it can be used in ICMP DDoS attacks to exhaust bandwidth. That’s not really a danger for Whonix because the local private connection between Gateway and Workstation is local and depends on CPU and not on your actual internet connection. Any such attack would be noticeable by you.

  • Windows is a different story. They are known to not follow best security practices for many things sometimes on purpose. I don;t care for Windows enough to research it. You also have bigger problems like a system keylogger that phones home behind your back and contrary to your settings. I’d advise you to migrate to Linux even if it seems difficult at first.

2 Likes