Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Dec 2003 21:18:13 -0500
From:      Barney Wolff <barney@databus.com>
To:        Brett Glass <brett@lariat.org>
Cc:        net@freebsd.org
Subject:   Re: Controlling ports used by natd
Message-ID:  <20031213021813.GA42371@pit.databus.com>
In-Reply-To: <6.0.0.22.2.20031212175801.04b066d8@localhost>
References:  <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com> <6.0.0.22.2.20031212175801.04b066d8@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 12, 2003 at 06:17:46PM -0700, Brett Glass wrote:
> 
> In practice, I think we need to come up with something better than the
> notions of "well-known" and "privileged" ports. Something that, unlike
> portmap, is easy for firewalls to work with.

It's not so easy, because malware is not likely to be so polite as to
keep to fixed source ports.  In fact, your real problem is with lazy
firewalls that can't tell UDP responses from requests.  A stateless
firewall is an ACL, not a firewall.  That works not so badly for TCP
but is simply inadequate for UDP.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031213021813.GA42371>