From owner-freebsd-net@FreeBSD.ORG  Fri Dec 12 09:42:01 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 752EA16A4CE
	for <net@freebsd.org>; Fri, 12 Dec 2003 09:42:01 -0800 (PST)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E5B2C43D41
	for <net@freebsd.org>; Fri, 12 Dec 2003 09:41:59 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id KAA17938;
	Fri, 12 Dec 2003 10:41:55 -0700 (MST)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.0.0.22.2.20031212103142.04611738@localhost>
X-Sender: brett@localhost (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Fri, 12 Dec 2003 10:41:50 -0700
To: Barney Wolff <barney@databus.com>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20031212083522.GA24267@pit.databus.com>
References: <200312120312.UAA10720@lariat.org>
 <20031212074519.GA23452@pit.databus.com>
 <6.0.0.22.2.20031212011133.047ae798@localhost>
 <20031212083522.GA24267@pit.databus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: net@freebsd.org
Subject: Re: Controlling ports used by natd
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Dec 2003 17:42:01 -0000

At 01:35 AM 12/12/2003, Barney Wolff wrote:

>Oops, sorry for the confusion.  How fancy a change is up to you,
>but changing ALIAS_PORT_BASE and ALIAS_PORT_MASK (and _EVEN)
>would let you confine the port range without much work.  

The current algorithm works so long as the blocked ports have
numbers less than 32768. But there are now lots of Trojans and
worms that use higher ports, and admins may want to block them.
So, there ought to be a way to tell libalias "don't assign anything
in this set of ports" -- via a list or a bitmap.

If one can tap directly into libalias and make this a global
restriction, it might be that other programs (e.g. ppp) could
remain blissfully ignorant of it. If the restrictions were allowed
to be different for different instances of programs that used 
libalias (for example, several instances of natd, each handling
an interface with unique restrictions), one would have to modify
the API of libalias, which might break code if not done carefully.

--Brett