From owner-freebsd-net@FreeBSD.ORG Sun Dec 14 12:31:07 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11C9116A4CE for ; Sun, 14 Dec 2003 12:31:07 -0800 (PST) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD9E643D35 for ; Sun, 14 Dec 2003 12:31:01 -0800 (PST) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.10/8.12.10) with ESMTP id hBEKV1iC005757; Sun, 14 Dec 2003 15:31:01 -0500 (EST) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.10/8.12.10/Submit) id hBEKV1w1005756; Sun, 14 Dec 2003 15:31:01 -0500 (EST) (envelope-from barney) Date: Sun, 14 Dec 2003 15:31:01 -0500 From: Barney Wolff To: Charles Swiger Message-ID: <20031214203101.GA5552@pit.databus.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com> <72143632-2E6D-11D8-824E-003065A20588@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <72143632-2E6D-11D8-824E-003065A20588@mac.com> User-Agent: Mutt/1.4.1i X-Scanned-By: MIMEDefang 2.38 cc: net@freebsd.org Subject: Re: Controlling ports used by natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 20:31:07 -0000 On Sun, Dec 14, 2003 at 02:41:00PM -0500, Charles Swiger wrote: > On Dec 12, 2003, at 7:19 PM, Barney Wolff wrote: > >I have a real philosophical problem with ceding ports to worms, viruses > >and trojans. Where will it stop? Portno is a finite resource. > > This is a respectable position, but the notion of categorizing ranges > of ports into an association with a security policy already exists: > bindresvport(). > > Perhaps one could argue that this limitation isn't that meaningful now > that it's unfortunately common for malware to be running with root > privileges-- or the Windows equivalent, more likely. Still, if you and > your users don't run untrusted programs as root, system permissions > will prevent malware from acting as a rogue > DHCP/DNS/arp/routed/NMBD/whatever server, sniffing the local network, > etc...all of which contributes to slowing down the opportunities for > and rate at which a worm spreads. The difference is who gets to decide that a port or port range is reserved. I'm happy to cede authority to the IANA, or other standards body. I'm not willing to cede it to malware writers. Regardless of philosophy, correctly configured stateful firewalls do not need to prevent ordinary programs from binding particular source port numbers to prevent access to and spread of worms. It's enough to block particular dest ports on requests.* Statefulness is required to tell a UDP request from a response. * Actually, a sensible firewall config allows only needed ports and blocks all others. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.