Date: Tue, 23 Dec 2003 03:29:02 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Brett Glass <brett@lariat.org> Cc: net@freebsd.org Subject: Re: Controlling ports used by natd Message-ID: <20031223032000.T2131@odysseus.silby.com> In-Reply-To: <6.0.0.22.2.20031222222449.03cd58c8@localhost> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <20031212083522.GA24267@pit.databus.com> <20031212181944.GA33245@pit.databus.com> <20031213001913.GA40544@pit.databus.com> <20031222182913.M2799@odysseus.silby.com> <6.0.0.22.2.20031222222449.03cd58c8@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 22 Dec 2003, Brett Glass wrote: > Good idea. One might also want to set a separate pair of sysctl variables > to control the range of ports selected by libalias, just in case the > administrator wanted to reserve distinct ports for NAT. > > --Brett I think that it might be best to keep choosing ports inside of libalias. Adding yet another port range would just complicate the kernel more without much benefit. You know, since we're talking about blocking specific ports, port ranges for specific applications, etc... it almost sounds like this is a firewall issue. ipfw can already filter by uid, and you can already deny packets to / from port ranges, so maybe it would be possible to add a quick hack into the port binding routines that would check to see if sending a packet to / from that port would be valid before completing the bind. Of course, that would only give you deny capabilities, but I think that might be good enough for your purposes, and it should be relatively straightforward to implement. Also, it would not break ephemeral port binding, as that piece of code will simply try all possible ports in the range before giving up. Unfortunately, I'm not familiar with ipfw's internals at all, I do not know how easy it would be to query it for allow / deny with just a few bits of ip information. Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031223032000.T2131>