From owner-freebsd-net@FreeBSD.ORG  Sun Dec 14 11:40:49 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D1FD316A4CE
	for <net@freebsd.org>; Sun, 14 Dec 2003 11:40:49 -0800 (PST)
Received: from smtpout.mac.com (A17-250-248-86.apple.com [17.250.248.86])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DF3D643D32
	for <net@freebsd.org>; Sun, 14 Dec 2003 11:40:47 -0800 (PST)
	(envelope-from cswiger@mac.com)
Received: from mac.com (smtpin08-en2 [10.13.10.153])
	by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id hBEJekcq006571;
	Sun, 14 Dec 2003 11:40:46 -0800 (PST)
Received: from [192.168.1.6] (pool-68-161-96-170.ny325.east.verizon.net
	[68.161.96.170])	(authenticated bits=0)hBEJejA6014647;
	Sun, 14 Dec 2003 11:40:46 -0800 (PST)
In-Reply-To: <20031213001913.GA40544@pit.databus.com>
References: <200312120312.UAA10720@lariat.org>
	<20031212074519.GA23452@pit.databus.com>
	<6.0.0.22.2.20031212011133.047ae798@localhost>
	<20031212083522.GA24267@pit.databus.com>
	<6.0.0.22.2.20031212103142.04611738@localhost>
	<20031212181944.GA33245@pit.databus.com>
	<6.0.0.22.2.20031212161250.045e9408@localhost>
	<20031213001913.GA40544@pit.databus.com>
Mime-Version: 1.0 (Apple Message framework v594)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <72143632-2E6D-11D8-824E-003065A20588@mac.com>
Content-Transfer-Encoding: 7bit
From: Charles Swiger <cswiger@mac.com>
Date: Sun, 14 Dec 2003 14:41:00 -0500
To: Barney Wolff <barney@databus.com>
X-Mailer: Apple Mail (2.594)
cc: net@freebsd.org
Subject: Re: Controlling ports used by natd
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2003 19:40:49 -0000

On Dec 12, 2003, at 7:19 PM, Barney Wolff wrote:
> I have a real philosophical problem with ceding ports to worms, viruses
> and trojans.  Where will it stop?  Portno is a finite resource.

This is a respectable position, but the notion of categorizing ranges 
of ports into an association with a security policy already exists: 
bindresvport().

Perhaps one could argue that this limitation isn't that meaningful now 
that it's unfortunately common for malware to be running with root 
privileges-- or the Windows equivalent, more likely.  Still, if you and 
your users don't run untrusted programs as root, system permissions 
will prevent malware from acting as a rogue 
DHCP/DNS/arp/routed/NMBD/whatever server, sniffing the local network, 
etc...all of which contributes to slowing down the opportunities for 
and rate at which a worm spreads.

-- 
-Chuck