From owner-freebsd-security Fri Aug 4 07:18:16 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id HAA13343 for security-outgoing; Fri, 4 Aug 1995 07:18:16 -0700 Received: from gateway.fedex.com (gateway.fedex.com [198.80.10.2]) by freefall.cdrom.com (8.6.11/8.6.6) with SMTP id HAA13334 ; Fri, 4 Aug 1995 07:18:13 -0700 Received: by gateway.fedex.com id AA05932 (InterLock SMTP Gateway 3.0); Fri, 4 Aug 1995 09:18:09 -0500 Message-Id: <199508041418.AA05932@gateway.fedex.com> Received: by gateway.fedex.com (Internal Mail Agent-2); Fri, 4 Aug 1995 09:18:09 -0500 Received: by gateway.fedex.com (Internal Mail Agent-1); Fri, 4 Aug 1995 09:18:09 -0500 To: Paul Traina Cc: security@freefall.cdrom.com Subject: Re: FTP data port restrictions Date: Fri, 04 Aug 1995 09:19:37 -0500 From: William McVey - wam Sender: security-owner@FreeBSD.org Precedence: bulk Paul Traina wrote: >The basic idea here is that we leave 40000-44999 open, since no known >sane services reside there (yeah, sure...) at the firewalls, and can >therefore button down everything else. It's important for people to realize that allowing arbitrary connections into your inside network even if they are destined for these ranges is still not a safe thing to do. The problem is that although no *sane* services are running in this block of ports, we still have the problem of RPC dynamic port allocation, so for as far as we know nfsd or mountd could be running in this range. The feature of resticting port ranges may still be usefull for proxy services (since you know you aren't running any rpc services on your proxy host), but if a site's security depends on a screening router, I'd hate for people to get the idea that these ports are deemed "safe". -- William