From owner-freebsd-net@FreeBSD.ORG Fri Dec 12 15:21:02 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C535816A4CE for ; Fri, 12 Dec 2003 15:21:02 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B11943D33 for ; Fri, 12 Dec 2003 15:21:01 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA22204; Fri, 12 Dec 2003 16:20:54 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031212161250.045e9408@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 12 Dec 2003 16:20:04 -0700 To: Barney Wolff From: Brett Glass In-Reply-To: <20031212181944.GA33245@pit.databus.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: net@freebsd.org Subject: Re: Controlling ports used by natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Dec 2003 23:21:02 -0000 At 11:19 AM 12/12/2003, Barney Wolff wrote: >How is this problem confined to NAT? Seems to me that any system >connecting to the Internet would have the same issue, if it's actually >a problem at all. Well, yes and no. A system behind a firewall that uses a port that's commonly used by a worm could find a session blocked, because the firewall can't trust it not to be infected just because it's inside. But hopefully, it'd retry and would get another port the next time. With NAT, there's a bigger problem: the firewall that's doing NAT may give it the same port again and again, locking it out. (I've seen this happen.) >So if I were going to solve it (which I'm not) I would expose the kernel's >"pick a high port" function, add hitlist capability, and have libalias use it. Not a bad way to go, actually. It'd be nice to restrict which ports the OS allowed apps to use, not only so that they don't get blocked by a firewall but so that a worm that's gotten into the system is detected. (You could set off an alarm if it tried to bind a "forbidden" port.) --Brett