ACLs Configuration

Question

I hope you are doing well,

while I was reading the docs of AWS ACLs, it mentioned something called Epheremral Ports and I didn't understand it well, it would be really great if there is someone could explain it for me,

another thing, I want to allow all the traffic on port 3000 and at the same time block the response of this traffic (learning purposes), so here is what I have done:

in the ACLs associated with the subnet, in the inbound rules, I have allowed all traffic on all ports, but on the outbound traffic, I have denied the traffic on HTTP port 3000, with this configuration I could get the request on the server and at the same time get the response on the browser, so I didn't block the response.

what is wrong with these configurations?

is there a way to allow the traffic and denied its response on a specific port?

Answer 1

What the Outbound Rules do is prevent the server from making connections to outside resources on the destination port specified. So a server in that security group won't be able to connect to another machine on TCP/3000, that's not the same as what you're attempting to prevent.

When you connect to https://stackoverflow.com, the destination port is 443, but that's not the port that your computer opens to send the request. It uses an Ephemeral Port, a temporary usage of a port in the upper ranges (AWS considers 1024-65535 the range of ephemeral ports). You can see what ports your system decided to use via netstat from your terminal to get an idea of how many are in use in a typical session.

So, to block responses from your application, you'd have to know in advance what port you're using to make the connection (e.g., 44732) and deny it. That can't happen easily, so you would either want to block the whole range (which will likely cause many other problems) or rethink your strategy handling the responses while testing.