Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Dec 2003 13:19:44 -0500
From:      Barney Wolff <barney@databus.com>
To:        Brett Glass <brett@lariat.org>
Cc:        net@freebsd.org
Subject:   Re: Controlling ports used by natd
Message-ID:  <20031212181944.GA33245@pit.databus.com>
In-Reply-To: <6.0.0.22.2.20031212103142.04611738@localhost>
References:  <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 12, 2003 at 10:41:50AM -0700, Brett Glass wrote:
> At 01:35 AM 12/12/2003, Barney Wolff wrote:
> 
> >Oops, sorry for the confusion.  How fancy a change is up to you,
> >but changing ALIAS_PORT_BASE and ALIAS_PORT_MASK (and _EVEN)
> >would let you confine the port range without much work.  
> 
> The current algorithm works so long as the blocked ports have
> numbers less than 32768. But there are now lots of Trojans and
> worms that use higher ports, and admins may want to block them.
> So, there ought to be a way to tell libalias "don't assign anything
> in this set of ports" -- via a list or a bitmap.

How is this problem confined to NAT?  Seems to me that any system
connecting to the Internet would have the same issue, if it's actually
a problem at all.

So if I were going to solve it (which I'm not) I would expose the kernel's
"pick a high port" function, add hitlist capability, and have libalias use it.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031212181944.GA33245>