From owner-freebsd-net@FreeBSD.ORG Fri Dec 12 18:18:15 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B683916A4CE for ; Fri, 12 Dec 2003 18:18:15 -0800 (PST) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FF8743D09 for ; Fri, 12 Dec 2003 18:18:14 -0800 (PST) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.10/8.12.10) with ESMTP id hBD2IDiR042514; Fri, 12 Dec 2003 21:18:13 -0500 (EST) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.10/8.12.10/Submit) id hBD2IDo3042513; Fri, 12 Dec 2003 21:18:13 -0500 (EST) (envelope-from barney) Date: Fri, 12 Dec 2003 21:18:13 -0500 From: Barney Wolff To: Brett Glass Message-ID: <20031213021813.GA42371@pit.databus.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com> <6.0.0.22.2.20031212175801.04b066d8@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031212175801.04b066d8@localhost> User-Agent: Mutt/1.4.1i X-Scanned-By: MIMEDefang 2.38 cc: net@freebsd.org Subject: Re: Controlling ports used by natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Dec 2003 02:18:15 -0000 On Fri, Dec 12, 2003 at 06:17:46PM -0700, Brett Glass wrote: > > In practice, I think we need to come up with something better than the > notions of "well-known" and "privileged" ports. Something that, unlike > portmap, is easy for firewalls to work with. It's not so easy, because malware is not likely to be so polite as to keep to fixed source ports. In fact, your real problem is with lazy firewalls that can't tell UDP responses from requests. A stateless firewall is an ACL, not a firewall. That works not so badly for TCP but is simply inadequate for UDP. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.