Controlling ports used by natd
Barney Wolff
barney at databus.com
Fri Dec 12 16:19:15 PST 2003
On Fri, Dec 12, 2003 at 04:20:04PM -0700, Brett Glass wrote:
> At 11:19 AM 12/12/2003, Barney Wolff wrote:
>
> >How is this problem confined to NAT? Seems to me that any system
> >connecting to the Internet would have the same issue, if it's actually
> >a problem at all.
>
> Well, yes and no. A system behind a firewall that uses a port that's
> commonly used by a worm could find a session blocked, because the
> firewall can't trust it not to be infected just because it's inside.
> But hopefully, it'd retry and would get another port the next time.
> With NAT, there's a bigger problem: the firewall that's doing NAT may
> give it the same port again and again, locking it out. (I've seen
> this happen.)
This *should* not happen if the end-host uses different source ports
on each try, at least as I read the alias_db.c code.
Have you tried the -same_ports option?
> >So if I were going to solve it (which I'm not) I would expose the kernel's
>>"pick a high port" function, add hitlist capability, and have libalias use it.
>
> Not a bad way to go, actually. It'd be nice to restrict which ports the OS
> allowed apps to use, not only so that they don't get blocked by a firewall
> but so that a worm that's gotten into the system is detected. (You could set
> off an alarm if it tried to bind a "forbidden" port.)
For most systems, the coarse granularity of sysctl net.inet.ip.portrange
would seem sufficient.
I have a real philosophical problem with ceding ports to worms, viruses
and trojans. Where will it stop? Portno is a finite resource.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
More information about the freebsd-net
mailing list