Re: Controlling ports used by natd

• Previous message: Charles Swiger: "Re: Controlling ports used by natd"
• In reply to: Charles Swiger: "Re: Controlling ports used by natd"
• Next in thread: Jacques A. Vidrine: "Re: Controlling ports used by natd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sun, 14 Dec 2003 15:31:01 -0500
To: Charles Swiger <cswiger@mac.com>

On Sun, Dec 14, 2003 at 02:41:00PM -0500, Charles Swiger wrote:
> On Dec 12, 2003, at 7:19 PM, Barney Wolff wrote:
> >I have a real philosophical problem with ceding ports to worms, viruses
> >and trojans. Where will it stop? Portno is a finite resource.
>
> This is a respectable position, but the notion of categorizing ranges
> of ports into an association with a security policy already exists:
> bindresvport().
>
> Perhaps one could argue that this limitation isn't that meaningful now
> that it's unfortunately common for malware to be running with root
> privileges-- or the Windows equivalent, more likely. Still, if you and
> your users don't run untrusted programs as root, system permissions
> will prevent malware from acting as a rogue
> DHCP/DNS/arp/routed/NMBD/whatever server, sniffing the local network,
> etc...all of which contributes to slowing down the opportunities for
> and rate at which a worm spreads.

The difference is who gets to decide that a port or port range is
reserved. I'm happy to cede authority to the IANA, or other standards
body. I'm not willing to cede it to malware writers.

Regardless of philosophy, correctly configured stateful firewalls do not
need to prevent ordinary programs from binding particular source port
numbers to prevent access to and spread of worms. It's enough to block
particular dest ports on requests.* Statefulness is required to tell
a UDP request from a response.

* Actually, a sensible firewall config allows only needed ports and
blocks all others.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Charles Swiger: "Re: Controlling ports used by natd"
• In reply to: Charles Swiger: "Re: Controlling ports used by natd"
• Next in thread: Jacques A. Vidrine: "Re: Controlling ports used by natd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: My Doom Worm ... our core routers and check for anomalous traffic from ... filters on most of our routers, and filter a few ports used ... The most common worms use TCP ports 139 or 445 to locate ... side effect of SMTP engine worms is DNS load. ... (Fedora) Re: a third party PC is being used to scan my ports ... >> It seems people are using PC's to scan my ports. ... >Trojans and worms are some tools that the bad guys use. ... The only thing you can do is protect yourself...if "the Innocent" ... (comp.security.misc) Re: Ports used by IE ... I think it picks a random port: what is the range of those ports? ... For worms, I'd be more inclined to make sure that the inbound ports are ... (microsoft.public.security) RE: non-default ports (Was: Remote Desktop vs VPN on Windows 2003) ... The best thing you should do is to install secure software and do not ... > ports is that it disrupts the flow of communication. ... > secure against worms, etc? ... > define how to standardize communication for a reason. ... (Security-Basics) Re: New/old Trojan? ... > looking on google ... anything on Windows systems, ... Sounds like this malware may have rootkit-like ... ports can be useless. ... (Incidents)