Date: Fri, 12 Dec 2003 21:18:13 -0500 From: Barney Wolff <barney@databus.com> To: Brett Glass <brett@lariat.org> Cc: net@freebsd.org Subject: Re: Controlling ports used by natd Message-ID: <20031213021813.GA42371@pit.databus.com> In-Reply-To: <6.0.0.22.2.20031212175801.04b066d8@localhost> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com> <6.0.0.22.2.20031212175801.04b066d8@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 12, 2003 at 06:17:46PM -0700, Brett Glass wrote: > > In practice, I think we need to come up with something better than the > notions of "well-known" and "privileged" ports. Something that, unlike > portmap, is easy for firewalls to work with. It's not so easy, because malware is not likely to be so polite as to keep to fixed source ports. In fact, your real problem is with lazy firewalls that can't tell UDP responses from requests. A stateless firewall is an ACL, not a firewall. That works not so badly for TCP but is simply inadequate for UDP. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031213021813.GA42371>