Controlling ports used by natd
Barney Wolff
barney at databus.com
Sun Dec 14 12:31:07 PST 2003
On Sun, Dec 14, 2003 at 02:41:00PM -0500, Charles Swiger wrote:
> On Dec 12, 2003, at 7:19 PM, Barney Wolff wrote:
> >I have a real philosophical problem with ceding ports to worms, viruses
> >and trojans. Where will it stop? Portno is a finite resource.
>
> This is a respectable position, but the notion of categorizing ranges
> of ports into an association with a security policy already exists:
> bindresvport().
>
> Perhaps one could argue that this limitation isn't that meaningful now
> that it's unfortunately common for malware to be running with root
> privileges-- or the Windows equivalent, more likely. Still, if you and
> your users don't run untrusted programs as root, system permissions
> will prevent malware from acting as a rogue
> DHCP/DNS/arp/routed/NMBD/whatever server, sniffing the local network,
> etc...all of which contributes to slowing down the opportunities for
> and rate at which a worm spreads.
The difference is who gets to decide that a port or port range is
reserved. I'm happy to cede authority to the IANA, or other standards
body. I'm not willing to cede it to malware writers.
Regardless of philosophy, correctly configured stateful firewalls do not
need to prevent ordinary programs from binding particular source port
numbers to prevent access to and spread of worms. It's enough to block
particular dest ports on requests.* Statefulness is required to tell
a UDP request from a response.
* Actually, a sensible firewall config allows only needed ports and
blocks all others.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
More information about the freebsd-net
mailing list