Date: Fri, 04 Aug 1995 07:33:31 -0700 From: Paul Traina <pst@shockwave.com> To: William McVey - wam <wamcvey@fedex.com> Cc: security@freefall.cdrom.com Subject: Re: FTP data port restrictions Message-ID: <199508041433.HAA02273@precipice.shockwave.com> In-Reply-To: Your message of "Fri, 04 Aug 1995 09:19:37 CDT." <199508041418.AA05932@gateway.fedex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
From: William McVey - wam <wamcvey@fedex.com> Subject: Re: FTP data port restrictions Paul Traina wrote: >The basic idea here is that we leave 40000-44999 open, since no known >sane services reside there (yeah, sure...) at the firewalls, and can >therefore button down everything else. It's important for people to realize that allowing arbitrary connections into your inside network even if they are destined for these ranges is still not a safe thing to do. The problem is that although no *sane* services are running in this block of ports, we still have the problem of RPC dynamic port allocation, so for as far as we know nfsd or mountd could be running in this range. We can only go so far as to fix our own software. Services that don't -specificly- bind themselves to a port (i.e. anyone who calls bind with a 0 port, get assigned a range from 1024 to 5000), which is why you will never see floating RPC daemons in ports greater than 5000. Other RPC daemons, such as NFS, which do lock themselves down to a particular port can fall outside that range, but if they're locked down, you can block them. The feature of resticting port ranges may still be usefull for proxy services (since you know you aren't running any rpc services on your proxy host), but if a site's security depends on a screening router, I'd hate for people to get the idea that these ports are deemed "safe". I agree, and the documentation will say something to that effect, but given the unfortunate situation we currently have, where bloody daemons and user stuff share the same range of ports, we're seriously SOL. If we had it to do over again, we should have reserved the bottom 8k for privileged daemons, then next 8k for unprivileged services, then next 16k for floating services, and the top 32k for client sourced ports. Oh well..
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508041433.HAA02273>