Re: Controlling ports used by natd

From: Barney Wolff (barney_at_databus.com)
Date: 12/13/03

  • Next message: Eugene Grosbein: "Re: how to saturate 100Mbit"
    Date: Sat, 13 Dec 2003 01:16:22 -0500
    To: Brett Glass <brett@lariat.org>
    
    

    On Fri, Dec 12, 2003 at 08:18:11PM -0700, Brett Glass wrote:
    > At 07:18 PM 12/12/2003, Barney Wolff wrote:
    >
    > >In fact, your real problem is with lazy
    > >firewalls that can't tell UDP responses from requests. A stateless
    > >firewall is an ACL, not a firewall. That works not so badly for TCP
    > >but is simply inadequate for UDP.
    >
    > Not so. A stateful firewall on UDP might keep a worm from getting in,
    > but it could still propgagate out. We don't want them getting through
    > in either direction (especially since we don't want our users infecting
    > one another). So, a full block of the port is appropriate. Especially
    > since, in most cases, that port isn't a service that would be safe to use
    > across the Net. Ports 135, 137, and 139, for example, should be blocked not
    > only because they can spread worms and popup spam but because they
    > should not be used on the open Internet.

    A stateful firewall is not limited to blocking inbound requests. If
    you want to block outbound requests to UDP port 12345, fine. But don't
    block a response from port 53 to your host's port 12345, and don't
    (if you run a nameserver) block a UDP packet from outside port 12345
    to your nameserver's port 53, or the response. A stateful firewall,
    sensibly configured, can do all that; an ACL usually can't.

    I believe in ACLs and have configured them on every router for which
    I've had enable. I also believe in firewalls, for what ACLs can't do.

    -- 
    Barney Wolff         http://www.databus.com/bwresume.pdf
    I'm available by contract or FT, in the NYC metro area or via the 'Net.
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    

  • Next message: Eugene Grosbein: "Re: how to saturate 100Mbit"