Controlling ports used by natd
Brett Glass
brett at lariat.org
Fri Dec 12 09:42:01 PST 2003
At 01:35 AM 12/12/2003, Barney Wolff wrote:
>Oops, sorry for the confusion. How fancy a change is up to you,
>but changing ALIAS_PORT_BASE and ALIAS_PORT_MASK (and _EVEN)
>would let you confine the port range without much work.
The current algorithm works so long as the blocked ports have
numbers less than 32768. But there are now lots of Trojans and
worms that use higher ports, and admins may want to block them.
So, there ought to be a way to tell libalias "don't assign anything
in this set of ports" -- via a list or a bitmap.
If one can tap directly into libalias and make this a global
restriction, it might be that other programs (e.g. ppp) could
remain blissfully ignorant of it. If the restrictions were allowed
to be different for different instances of programs that used
libalias (for example, several instances of natd, each handling
an interface with unique restrictions), one would have to modify
the API of libalias, which might break code if not done carefully.
--Brett
More information about the freebsd-net
mailing list