标题: Opera/Chrome客户端对目标端口的限制

创建: 2022-05-21 16:15
更新: 2022-05-22 13:51
链接: https://scz.617.cn/web/202205211615.txt

Opera/Chrome客户端对目标端口有限制，参看

--------------------------------------------------------------------------
How to fix ERR_UNSAFE_PORT error on Chrome when browsing to unsafe ports - [2010-09-13]
https://superuser.com/questions/188006/how-to-fix-err-unsafe-port-error-on-chrome-when-browsing-to-unsafe-ports

Which ports are considered unsafe by Chrome - [2010-09-13]
https://superuser.com/questions/188058/which-ports-are-considered-unsafe-by-chrome

https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/net/base/port_util.cc
--------------------------------------------------------------------------

简单点说，在Opera GUI中输入"https://<FQDN>:<port>/"时，这个<port>有限制。
port_util.cc中有个数组，kRestrictedPorts[]，定义了一堆端口号，当<port>位于
其中时，会得到这样的提示

--------------------------------------------------------------------------
This site can't be reached

The webpage at https://<FQDN>:<port>/ might be temporarily down or it may
have moved permanently to a new web address.

ERR_UNSAFE_PORT
--------------------------------------------------------------------------

ERR_UNSAFE_PORT提示是Opera客户端直接产生的，在本地产生的，连SYN包都不会发
出去。加命令行参数可以绕过这个客户端限制

--explicitly-allowed-ports=<port,port,...>

比如

launcher.exe --explicitly-allowed-ports=25,465,587,993,2525

在其中访问

https://imap.gmail.com:993/

同时用Wireshark抓包，过滤imap.gmail.com解析出来的IP，可以看到发往993/TCP的
SYN包。

Google为什么要在Chrome客户端做这种限制？有人尝试解释了一下

Why does Chrome consider some ports unsafe - [2012-08-23]
https://jazzy.id.au/2012/08/23/why_does_chrome_consider_some_ports_unsafe.html

The reason it's called unsafe is not because it's unsafe to Chrome, it's
because it's unsafe to those services, where an attacker may try to use
Chrome as a proxy to attacking services on those ports.

我对WEB前端安全不了解，只能看个大概。即使上篇中的理由成立，仍然觉得Google
有些吃饱了没事做。

--------------------------------------------------------------------------
// The general list of blocked ports. Will be blocked unless a specific
// protocol overrides it. (Ex: ftp can use port 21)
// When adding a port to the list, consider also adding it to kAllowablePorts,
// below.
const int kRestrictedPorts[] = {
    1,      // tcpmux
    7,      // echo
    9,      // discard
    11,     // systat
    13,     // daytime
    15,     // netstat
    17,     // qotd
    19,     // chargen
    20,     // ftp data
    21,     // ftp access
    22,     // ssh
    23,     // telnet
    25,     // smtp
    37,     // time
    42,     // name
    43,     // nicname
    53,     // domain
    69,     // tftp
    77,     // priv-rjs
    79,     // finger
    87,     // ttylink
    95,     // supdup
    101,    // hostriame
    102,    // iso-tsap
    103,    // gppitnp
    104,    // acr-nema
    109,    // pop2
    110,    // pop3
    111,    // sunrpc
    113,    // auth
    115,    // sftp
    117,    // uucp-path
    119,    // nntp
    123,    // NTP
    135,    // loc-srv /epmap
    137,    // netbios
    139,    // netbios
    143,    // imap2
    161,    // snmp
    179,    // BGP
    389,    // ldap
    427,    // SLP (Also used by Apple Filing Protocol)
    465,    // smtp+ssl
    512,    // print / exec
    513,    // login
    514,    // shell
    515,    // printer
    526,    // tempo
    530,    // courier
    531,    // chat
    532,    // netnews
    540,    // uucp
    548,    // AFP (Apple Filing Protocol)
    554,    // rtsp
    556,    // remotefs
    563,    // nntp+ssl
    587,    // smtp (rfc6409)
    601,    // syslog-conn (rfc3195)
    636,    // ldap+ssl
    989,    // ftps-data
    990,    // ftps
    993,    // ldap+ssl
    995,    // pop3+ssl
    1719,   // h323gatestat
    1720,   // h323hostcall
    1723,   // pptp
    2049,   // nfs
    3659,   // apple-sasl / PasswordServer
    4045,   // lockd
    5060,   // sip
    5061,   // sips
    6000,   // X11
    6566,   // sane-port
    6665,   // Alternate IRC [Apple addition]
    6666,   // Alternate IRC [Apple addition]
    6667,   // Standard IRC [Apple addition]
    6668,   // Alternate IRC [Apple addition]
    6669,   // Alternate IRC [Apple addition]
    6697,   // IRC + TLS
    10080,  // Amanda
};
--------------------------------------------------------------------------

Mozilla Firefox也有类似的"Blocked Ports"

Ports blocked by default in Mozilla
https://www-archive.mozilla.org/projects/netlib/portbanning#portlist

--------------------------------------------------------------------------
Port    Service
1       tcpmux
7       echo
9       discard
11      systat
13      daytime
15      netstat
17      qotd
19      chargen
20      ftp data
21      ftp control
22      ssh
23      telnet
25      smtp
37      time
42      name
43      nicname
53      domain
77      priv-rjs
79      finger
87      ttylink
95      supdup
101     hostriame
102     iso-tsap
103     gppitnp
104     acr-nema
109     POP2
110     POP3
111     sunrpc
113     auth
115     sftp
117     uucp-path
119     NNTP
123     NTP
135     loc-srv / epmap
139     netbios
143     IMAP2
179     BGP
389     LDAP
465     SMTP+SSL
512     print / exec
513     login
514     shell
515     printer
526     tempo
530     courier
531     chat
532     netnews
540     uucp
556     remotefs
563     NNTP+SSL
587     submission
601     syslog
636     LDAP+SSL
993     IMAP+SSL
995     POP3+SSL
2049    nfs
4045    lockd
6000    X11
--------------------------------------------------------------------------