Go To Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Download Pdf
ACLs and Ephemeral Ports
The Network ACL uses an ephemeral port range of 49152-65535. However, you might want to use a different range for your network ACLs. This section explains why. The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system.
Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000. Requests originating from Elastic Load Balancing use ports 1024-65535. Windows operating systems through Windows Server 2003 use ports 1025-5000. Windows Server 2008 uses ports 49152-65535. Therefore, if a request comes in to a web server in your VPC from a Windows XP client on the Internet, your network ACL must have an outbound rule to enable traffic destined for ports 1025-5000.
If an EC2 instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance
(Amazon Linux, Windows Server 2008, and so on.)
In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC; you need to open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Make sure to place the DENY rules earlier in the table than the rule that opens the wide range of ephemeral ports.
Go To Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Download Pdf
_______________________________________________________________________________________________________________________
Click to View What Learners Say about us : Testimonials
We have training subscriber from TCS, IBM, INFOSYS, ACCENTURE, APPLE, HEWITT, Oracle , NetApp , Capgemini etc.
