Date: Fri, 12 Dec 2003 16:20:04 -0700 From: Brett Glass <brett@lariat.org> To: Barney Wolff <barney@databus.com> Cc: net@freebsd.org Subject: Re: Controlling ports used by natd Message-ID: <6.0.0.22.2.20031212161250.045e9408@localhost> In-Reply-To: <20031212181944.GA33245@pit.databus.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:19 AM 12/12/2003, Barney Wolff wrote: >How is this problem confined to NAT? Seems to me that any system >connecting to the Internet would have the same issue, if it's actually >a problem at all. Well, yes and no. A system behind a firewall that uses a port that's commonly used by a worm could find a session blocked, because the firewall can't trust it not to be infected just because it's inside. But hopefully, it'd retry and would get another port the next time. With NAT, there's a bigger problem: the firewall that's doing NAT may give it the same port again and again, locking it out. (I've seen this happen.) >So if I were going to solve it (which I'm not) I would expose the kernel's >"pick a high port" function, add hitlist capability, and have libalias use it. Not a bad way to go, actually. It'd be nice to restrict which ports the OS allowed apps to use, not only so that they don't get blocked by a firewall but so that a worm that's gotten into the system is detected. (You could set off an alarm if it tried to bind a "forbidden" port.) --Brett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20031212161250.045e9408>