Re: Controlling ports used by natd

From: Barney Wolff (barney_at_databus.com)
Date: 12/13/03

  • Next message: Eugene Grosbein: "Re: how to saturate 100Mbit"
    Date: Sat, 13 Dec 2003 01:16:22 -0500
    To: Brett Glass <brett@lariat.org>
    
    

    On Fri, Dec 12, 2003 at 08:18:11PM -0700, Brett Glass wrote:
    > At 07:18 PM 12/12/2003, Barney Wolff wrote:
    >
    > >In fact, your real problem is with lazy
    > >firewalls that can't tell UDP responses from requests. A stateless
    > >firewall is an ACL, not a firewall. That works not so badly for TCP
    > >but is simply inadequate for UDP.
    >
    > Not so. A stateful firewall on UDP might keep a worm from getting in,
    > but it could still propgagate out. We don't want them getting through
    > in either direction (especially since we don't want our users infecting
    > one another). So, a full block of the port is appropriate. Especially
    > since, in most cases, that port isn't a service that would be safe to use
    > across the Net. Ports 135, 137, and 139, for example, should be blocked not
    > only because they can spread worms and popup spam but because they
    > should not be used on the open Internet.

    A stateful firewall is not limited to blocking inbound requests. If
    you want to block outbound requests to UDP port 12345, fine. But don't
    block a response from port 53 to your host's port 12345, and don't
    (if you run a nameserver) block a UDP packet from outside port 12345
    to your nameserver's port 53, or the response. A stateful firewall,
    sensibly configured, can do all that; an ACL usually can't.

    I believe in ACLs and have configured them on every router for which
    I've had enable. I also believe in firewalls, for what ACLs can't do.

    -- 
    Barney Wolff         http://www.databus.com/bwresume.pdf
    I'm available by contract or FT, in the NYC metro area or via the 'Net.
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    

  • Next message: Eugene Grosbein: "Re: how to saturate 100Mbit"

    Relevant Pages

    • Re: Easy RRAS VPN question
      ... When NAT-T is used port 1701 UDP ... to go through a firewall directly then port 1701 UDP needs to be open. ... >> accessed from the internet. ...
      (microsoft.public.windows.server.networking)
    • Re: Keyboard Maestro Calling Home... how to stop?
      ... ports like 22 to my ISP, 80, and 443 so it sends the UDP broadcast ... A tutorial on writing firewall rules is really beyond the ... add deny log ip from any to 127.0.0.0/8 ... look in the log and see what port ...
      (comp.sys.mac.apps)
    • Re: clients separated from DC by firewall
      ... firewall is preventing any longer. ... Note that Kerberos is UDP by default and LDAP is using both TCP and UDP; ... SSL may change port requirements, ...
      (microsoft.public.windows.server.security)
    • Re: clients separated from DC by firewall
      ... firewall is preventing any longer. ... Note that Kerberos is UDP by default and LDAP is using both TCP and UDP ... change port requirements, too. ...
      (microsoft.public.windows.server.security)
    • Re: Home firewall Hits
      ... Or do you have SNMP enabled on the Wireless router at all? ... >I use Kerio's tiny personal firewall and Windows ME. ... >Port 162 with a UDP message. ...
      (Security-Basics)