Date: Sun, 14 Dec 2003 14:41:00 -0500 From: Charles Swiger <cswiger@mac.com> To: Barney Wolff <barney@databus.com> Cc: net@freebsd.org Subject: Re: Controlling ports used by natd Message-ID: <72143632-2E6D-11D8-824E-003065A20588@mac.com> In-Reply-To: <20031213001913.GA40544@pit.databus.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 12, 2003, at 7:19 PM, Barney Wolff wrote: > I have a real philosophical problem with ceding ports to worms, viruses > and trojans. Where will it stop? Portno is a finite resource. This is a respectable position, but the notion of categorizing ranges of ports into an association with a security policy already exists: bindresvport(). Perhaps one could argue that this limitation isn't that meaningful now that it's unfortunately common for malware to be running with root privileges-- or the Windows equivalent, more likely. Still, if you and your users don't run untrusted programs as root, system permissions will prevent malware from acting as a rogue DHCP/DNS/arp/routed/NMBD/whatever server, sniffing the local network, etc...all of which contributes to slowing down the opportunities for and rate at which a worm spreads. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?72143632-2E6D-11D8-824E-003065A20588>