From owner-freebsd-net@FreeBSD.ORG Tue Dec 23 01:29:07 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04CA616A4CE for ; Tue, 23 Dec 2003 01:29:07 -0800 (PST) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id C824743D1D for ; Tue, 23 Dec 2003 01:29:04 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 68850 invoked from network); 23 Dec 2003 09:29:03 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 23 Dec 2003 09:29:03 -0000 X-pair-Authenticated: 209.68.2.70 Date: Tue, 23 Dec 2003 03:29:02 -0600 (CST) From: Mike Silbersack To: Brett Glass In-Reply-To: <6.0.0.22.2.20031222222449.03cd58c8@localhost> Message-ID: <20031223032000.T2131@odysseus.silby.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <20031212083522.GA24267@pit.databus.com> <20031212181944.GA33245@pit.databus.com> <20031213001913.GA40544@pit.databus.com> <20031222182913.M2799@odysseus.silby.com> <6.0.0.22.2.20031222222449.03cd58c8@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Barney Wolff cc: net@freebsd.org Subject: Re: Controlling ports used by natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2003 09:29:07 -0000 On Mon, 22 Dec 2003, Brett Glass wrote: > Good idea. One might also want to set a separate pair of sysctl variables > to control the range of ports selected by libalias, just in case the > administrator wanted to reserve distinct ports for NAT. > > --Brett I think that it might be best to keep choosing ports inside of libalias. Adding yet another port range would just complicate the kernel more without much benefit. You know, since we're talking about blocking specific ports, port ranges for specific applications, etc... it almost sounds like this is a firewall issue. ipfw can already filter by uid, and you can already deny packets to / from port ranges, so maybe it would be possible to add a quick hack into the port binding routines that would check to see if sending a packet to / from that port would be valid before completing the bind. Of course, that would only give you deny capabilities, but I think that might be good enough for your purposes, and it should be relatively straightforward to implement. Also, it would not break ephemeral port binding, as that piece of code will simply try all possible ports in the range before giving up. Unfortunately, I'm not familiar with ipfw's internals at all, I do not know how easy it would be to query it for allow / deny with just a few bits of ip information. Mike "Silby" Silbersack