Controlling ports used by natd
Brett Glass
brett at lariat.org
Fri Dec 12 15:21:02 PST 2003
At 11:19 AM 12/12/2003, Barney Wolff wrote:
>How is this problem confined to NAT? Seems to me that any system
>connecting to the Internet would have the same issue, if it's actually
>a problem at all.
Well, yes and no. A system behind a firewall that uses a port that's
commonly used by a worm could find a session blocked, because the
firewall can't trust it not to be infected just because it's inside.
But hopefully, it'd retry and would get another port the next time.
With NAT, there's a bigger problem: the firewall that's doing NAT may
give it the same port again and again, locking it out. (I've seen
this happen.)
>So if I were going to solve it (which I'm not) I would expose the kernel's
>"pick a high port" function, add hitlist capability, and have libalias use it.
Not a bad way to go, actually. It'd be nice to restrict which ports the OS
allowed apps to use, not only so that they don't get blocked by a firewall
but so that a worm that's gotten into the system is detected. (You could set
off an alarm if it tried to bind a "forbidden" port.)
--Brett
More information about the freebsd-net
mailing list