From owner-freebsd-net@FreeBSD.ORG Fri Dec 12 16:19:15 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F81C16A4CE for ; Fri, 12 Dec 2003 16:19:15 -0800 (PST) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5F8743D31 for ; Fri, 12 Dec 2003 16:19:13 -0800 (PST) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.10/8.12.10) with ESMTP id hBD0JDiR040752; Fri, 12 Dec 2003 19:19:13 -0500 (EST) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.10/8.12.10/Submit) id hBD0JDUb040751; Fri, 12 Dec 2003 19:19:13 -0500 (EST) (envelope-from barney) Date: Fri, 12 Dec 2003 19:19:13 -0500 From: Barney Wolff To: Brett Glass Message-ID: <20031213001913.GA40544@pit.databus.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031212161250.045e9408@localhost> User-Agent: Mutt/1.4.1i X-Scanned-By: MIMEDefang 2.38 cc: net@freebsd.org Subject: Re: Controlling ports used by natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Dec 2003 00:19:15 -0000 On Fri, Dec 12, 2003 at 04:20:04PM -0700, Brett Glass wrote: > At 11:19 AM 12/12/2003, Barney Wolff wrote: > > >How is this problem confined to NAT? Seems to me that any system > >connecting to the Internet would have the same issue, if it's actually > >a problem at all. > > Well, yes and no. A system behind a firewall that uses a port that's > commonly used by a worm could find a session blocked, because the > firewall can't trust it not to be infected just because it's inside. > But hopefully, it'd retry and would get another port the next time. > With NAT, there's a bigger problem: the firewall that's doing NAT may > give it the same port again and again, locking it out. (I've seen > this happen.) This *should* not happen if the end-host uses different source ports on each try, at least as I read the alias_db.c code. Have you tried the -same_ports option? > >So if I were going to solve it (which I'm not) I would expose the kernel's >>"pick a high port" function, add hitlist capability, and have libalias use it. > > Not a bad way to go, actually. It'd be nice to restrict which ports the OS > allowed apps to use, not only so that they don't get blocked by a firewall > but so that a worm that's gotten into the system is detected. (You could set > off an alarm if it tried to bind a "forbidden" port.) For most systems, the coarse granularity of sysctl net.inet.ip.portrange would seem sufficient. I have a real philosophical problem with ceding ports to worms, viruses and trojans. Where will it stop? Portno is a finite resource. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.