Re: Controlling ports used by natd

From: Barney Wolff (barney_at_databus.com)
Date: 12/13/03

  • Next message: Brett Glass: "Re: Controlling ports used by natd" 
    Date: Fri, 12 Dec 2003 19:19:13 -0500
To: Brett Glass <brett@lariat.org>

    On Fri, Dec 12, 2003 at 04:20:04PM -0700, Brett Glass wrote:
    > At 11:19 AM 12/12/2003, Barney Wolff wrote:
    >
    > >How is this problem confined to NAT? Seems to me that any system
    > >connecting to the Internet would have the same issue, if it's actually
    > >a problem at all.
    >
    > Well, yes and no. A system behind a firewall that uses a port that's
    > commonly used by a worm could find a session blocked, because the
    > firewall can't trust it not to be infected just because it's inside.
    > But hopefully, it'd retry and would get another port the next time.
    > With NAT, there's a bigger problem: the firewall that's doing NAT may
    > give it the same port again and again, locking it out. (I've seen
    > this happen.)

    This *should* not happen if the end-host uses different source ports
    on each try, at least as I read the alias_db.c code.

    Have you tried the -same_ports option?

    > >So if I were going to solve it (which I'm not) I would expose the kernel's
    >>"pick a high port" function, add hitlist capability, and have libalias use it.
    >
    > Not a bad way to go, actually. It'd be nice to restrict which ports the OS
    > allowed apps to use, not only so that they don't get blocked by a firewall
    > but so that a worm that's gotten into the system is detected. (You could set
    > off an alarm if it tried to bind a "forbidden" port.)

    For most systems, the coarse granularity of sysctl net.inet.ip.portrange
    would seem sufficient.

    I have a real philosophical problem with ceding ports to worms, viruses
    and trojans. Where will it stop? Portno is a finite resource. 

    -- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Brett Glass: "Re: Controlling ports used by natd"

    Relevant Pages

    • Re: A good router
      ... I have been using a Linksys BEFW11S4 wireless/wired 4 port switch router ... A recent email from WatchGuard that I got the other day about NAT ... NAT device is a firewall. ... This article debunks the myth that a NAT device ...
      (comp.security.firewalls)
    • Re: NAT Secure?
      ... >>> NAT secure from internet attack? ... It may 'compliment' a firewall (packet filter, ... Port redirection/port mapping, ...
      (comp.security.firewalls)
    • Re: NAT Security
      ... NAT or basic firewall as it is also called in Windows 2003 provides about the same ... sense to use a hardware firewall for the extra protection and features. ... You mention netbios port 139. ...
      (microsoft.public.win2000.security)
    • Worm in XP that kills updates, etc
      ... seems pretty much impossible to kill it off. ... you have a firewall installed, ... and look at your port settings, ... means the worm can't communicate with its farty breathed ...
      (microsoft.public.scripting.virus.discussion)
    • Re: Wuala - settings for firewall?
      ... firewall) and my hardware firewall. ... "In the settings tab you can see what port wuala is using. ... NAT traversal. ...
      (comp.sys.mac.apps)