Controlling ports used by natd
Brett Glass
brett at lariat.org
Fri Dec 12 19:18:24 PST 2003
At 07:18 PM 12/12/2003, Barney Wolff wrote:
>In fact, your real problem is with lazy
>firewalls that can't tell UDP responses from requests. A stateless
>firewall is an ACL, not a firewall. That works not so badly for TCP
>but is simply inadequate for UDP.
Not so. A stateful firewall on UDP might keep a worm from getting in,
but it could still propgagate out. We don't want them getting through
in either direction (especially since we don't want our users infecting
one another). So, a full block of the port is appropriate. Especially
since, in most cases, that port isn't a service that would be safe to use
across the Net. Ports 135, 137, and 139, for example, should be blocked not
only because they can spread worms and popup spam but because they
should not be used on the open Internet.
--Brett
More information about the freebsd-net
mailing list