From owner-freebsd-net@FreeBSD.ORG  Fri Dec 12 19:18:24 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 270BF16A4CE
	for <net@freebsd.org>; Fri, 12 Dec 2003 19:18:24 -0800 (PST)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B52F343D2D
	for <net@freebsd.org>; Fri, 12 Dec 2003 19:18:22 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id UAA24510;
	Fri, 12 Dec 2003 20:18:16 -0700 (MST)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.0.0.22.2.20031212201423.04a0dec0@localhost>
X-Sender: brett@localhost (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Fri, 12 Dec 2003 20:18:11 -0700
To: Barney Wolff <barney@databus.com>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20031213021813.GA42371@pit.databus.com>
References: <200312120312.UAA10720@lariat.org>
 <20031212074519.GA23452@pit.databus.com>
 <6.0.0.22.2.20031212011133.047ae798@localhost>
 <20031212083522.GA24267@pit.databus.com>
 <6.0.0.22.2.20031212103142.04611738@localhost>
 <20031212181944.GA33245@pit.databus.com>
 <6.0.0.22.2.20031212161250.045e9408@localhost>
 <20031213001913.GA40544@pit.databus.com>
 <6.0.0.22.2.20031212175801.04b066d8@localhost>
 <20031213021813.GA42371@pit.databus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: net@freebsd.org
Subject: Re: Controlling ports used by natd
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Dec 2003 03:18:24 -0000

At 07:18 PM 12/12/2003, Barney Wolff wrote:

>In fact, your real problem is with lazy
>firewalls that can't tell UDP responses from requests.  A stateless
>firewall is an ACL, not a firewall.  That works not so badly for TCP
>but is simply inadequate for UDP.

Not so. A stateful firewall on UDP might keep a worm from getting in,
but it could still propgagate out. We don't want them getting through
in either direction (especially since we don't want our users infecting
one another). So, a full block of the port is appropriate. Especially
since, in most cases, that port isn't a service that would be safe to use
across the Net. Ports 135, 137, and 139, for example, should be blocked not
only because they can spread worms and popup spam but because they
should not be used on the open Internet.

--Brett