Date: Fri, 12 Dec 2003 20:18:11 -0700 From: Brett Glass <brett@lariat.org> To: Barney Wolff <barney@databus.com> Cc: net@freebsd.org Subject: Re: Controlling ports used by natd Message-ID: <6.0.0.22.2.20031212201423.04a0dec0@localhost> In-Reply-To: <20031213021813.GA42371@pit.databus.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com> <6.0.0.22.2.20031212175801.04b066d8@localhost> <20031213021813.GA42371@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:18 PM 12/12/2003, Barney Wolff wrote: >In fact, your real problem is with lazy >firewalls that can't tell UDP responses from requests. A stateless >firewall is an ACL, not a firewall. That works not so badly for TCP >but is simply inadequate for UDP. Not so. A stateful firewall on UDP might keep a worm from getting in, but it could still propgagate out. We don't want them getting through in either direction (especially since we don't want our users infecting one another). So, a full block of the port is appropriate. Especially since, in most cases, that port isn't a service that would be safe to use across the Net. Ports 135, 137, and 139, for example, should be blocked not only because they can spread worms and popup spam but because they should not be used on the open Internet. --Brett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20031212201423.04a0dec0>