From owner-freebsd-net@FreeBSD.ORG Fri Dec 12 17:18:00 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40B6516A4CE for ; Fri, 12 Dec 2003 17:18:00 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A37B43D31 for ; Fri, 12 Dec 2003 17:17:58 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA23551; Fri, 12 Dec 2003 18:17:54 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031212175801.04b066d8@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 12 Dec 2003 18:17:46 -0700 To: Barney Wolff From: Brett Glass In-Reply-To: <20031213001913.GA40544@pit.databus.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: net@freebsd.org Subject: Re: Controlling ports used by natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Dec 2003 01:18:00 -0000 At 05:19 PM 12/12/2003, Barney Wolff wrote: >For most systems, the coarse granularity of sysctl net.inet.ip.portrange >would seem sufficient. This brings up an interesting point. I just typed sysctl -a | grep portrange into a recently minted 4.9 box, and got: net.inet.ip.portrange.lowfirst: 1023 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.first: 1024 net.inet.ip.portrange.last: 5000 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 Why is "lowfirst" greater than "lowlast" above? It is also interesting that natd doesn't respect the "hifirst..hilast" settings here. Shouldn't it look at these variables and avoid assigning ports that the machine on which it's running would not use? Or should there be a "net.inet.alias.portrange.first", etc., so that one could specify the ranges or lists for everything in one place? >I have a real philosophical problem with ceding ports to worms, viruses >and trojans. Where will it stop? Portno is a finite resource. In theory, it stops when all Windows users have patched their machines. Alas, this will happen when a very warm place freezes over. :-( In practice, I think we need to come up with something better than the notions of "well-known" and "privileged" ports. Something that, unlike portmap, is easy for firewalls to work with. --Brett