In very simple terms, programs running on a computer can communicate with other computers via the internet, but they need to choose a port. This is so computers know which program to send incoming information to, because otherwise it all just comes into the same place (information is sent over the internet via different protocols - ways of formatting and interpreting data, but it’s all just just raw binary data until a program can interpret it).
Web servers use port 80 and 443 and communicate with protocols HTTP and HTTPS.
This change is to prevent Roblox servers from being able to potentially communicate with unintended programs on other computers on the internet that are not intended for processing regular HTTP traffic (i.e. fetching webpages, or returning data via web API). Roblox only wants to be able to talk to web servers via HttpService, and not e.g. file transfer software or email servers. Your own programs may listen for data on higher ports if you so choose. This is safer because it’s your software, and your software does not necessarily have super high permissions on the computer unless you unwisely give it that permission. More sensitive programs with very high permissions run on the reserved ports Roblox is blocking.
Port 0 is the only TCP port that is technically not valid for general use (connections). So what happens is that you cannot have a service bound to port 0, let alone connect to port 0.
From a development side (socket programming), port 0 means “doesn’t matter, just pick one that works”. This is generally used when programming clients (not services).
While this change doesn’t affect discord’s webhooks, Discord has started blocking any traffic from Roblox’s servers again as people were not following Discord’s TOS.
What really was the intended point here? Wouldn’t it have been been better to allow us to manually restrict ports using a non-scriptable CSV property or something, idk, HttpServiceBlockedPorts
Just researched this, looks like it was done to block other server connection types etc. Obviously, Roblox just wants us to connect to only web servers. Of course it could just be proxied but at that point you’ve already done too much.
Also blocking 1194 looks like you’re directly targeting a VPN protocol.
IIRC, even Chrome and Firefox restrict accessing content from a large number of ports under 1024. So…we still have like 98% of all ports available for use. Sounds good to me.
The Roblox Terms of Use, which includes the updated Roblox Community Standards does not prevent the use of VPNs. It prevents the use of VPNs “to mask your location in order to gain unauthorized access to the Roblox platform, a specific feature, or another user’s account”. This changed in the revision.
This change affects only OpenVPN and not Wireguard or any other the other VPN protocols out there. Nor does it change the question I asked before
Who in the world is trying to get terminal access via the public IP of the container and not just using vpn.roblox.com or awsvpn.roblox.com or any number of entry-points to hit the actual physical server and going into the container that way, pushing it a SSH connection. That is an odd note which should be clarified, “preventing abuse” is an odd move here.
No they won’t be affected. Discord webhooks are having issues currently, though that’s entirely unrelated to this change (which won’t even happen until the date state in this announcement).
Effectively any public REST endpoint you might want to hit will be using the default HTTP or HTTPS port and be unaffected by this.
However out of curiosity, why? Just want to know from a technical perspective, would be awesome to chat about the technical details. What is the potential security implication of allowing IANA reserved ports, how does it improve the security of Roblox game servers?
You could potentially probe services listening on these ports, but that’s not really a security issue, more of an issue ending up in bad rep lists, you could just use nmap for better results.
Quoted from rfc6335:
Assignment of a service name or port number does not in any way imply
an endorsement of an application or product, and the fact that
network traffic is flowing to or from an assigned port number does
not mean that it is “good” traffic, or even that it is used by the
assigned service. Firewall and system administrators should choose
how to configure their systems based on their knowledge of the
traffic in question, not based on whether or not there is an assigned
service name or port number.
Per the above standard, there should be no security implication, incoming packets should be inspected by a firewall, which would de-encapsulate the packet, detect the application-level data is HTTP, drop the packet, and then send a RST probably.
Web browsers block some of the reserved ports, as they’re built for end users.
A HTTP service listening on a reserved port isn’t necessarily safer than a HTTP service on an unassigned port. On Windows Server, a non-administrator user can create a socket listening on a reserved port. On Linux, you do need to initiate it with root iirc, however on both you’d probably need local administrator/root permissions anyway to open the port on the hbfw and serve your malicious content.Also if you gain low-priv access to a server, there is a much greater ROI for just trying to move laterally through the network.
When accessing the internet, you use ports along with the IP within the packet/data being sent.
Ports prevent data being broadcast into every application on your computer. In simple, it’s a lane on a highway, except there’s thousands of them. Without ports, the internet connection to your computer would be a one-way road and the data wouldn’t know what application to hit.
Every “port” is formatted a little differently and is for different things. For example, IMAP is a port used for emailing servers.
I think the reason ROBLOX is preventing any ports except 80 and 443 below 1024 is because there’s a lot of number ports below 1024 that can be more easily used with malicious intent. (Most ports below 1024 sadly are used often, so it is at the same time pretty limiting)
The data limit is certainly to both help ROBLOX’s servers and prevent spamming.
Of course if you are a major developer, your game can probably be whitelisted to bypass these limits like you can with data stores.