Controlling ports used by natd

[Barney Wolff]

On Fri, Dec 12, 2003 at 08:18:11PM -0700, Brett Glass wrote:
> At 07:18 PM 12/12/2003, Barney Wolff wrote:
> 
> >In fact, your real problem is with lazy
> >firewalls that can't tell UDP responses from requests.  A stateless
> >firewall is an ACL, not a firewall.  That works not so badly for TCP
> >but is simply inadequate for UDP.
> 
> Not so. A stateful firewall on UDP might keep a worm from getting in,
> but it could still propgagate out. We don't want them getting through
> in either direction (especially since we don't want our users infecting
> one another). So, a full block of the port is appropriate. Especially
> since, in most cases, that port isn't a service that would be safe to use
> across the Net. Ports 135, 137, and 139, for example, should be blocked not
> only because they can spread worms and popup spam but because they
> should not be used on the open Internet.

A stateful firewall is not limited to blocking inbound requests.  If
you want to block outbound requests to UDP port 12345, fine.  But don't
block a response from port 53 to your host's port 12345, and don't
(if you run a nameserver) block a UDP packet from outside port 12345
to your nameserver's port 53, or the response.  A stateful firewall,
sensibly configured, can do all that; an ACL usually can't.

I believe in ACLs and have configured them on every router for which
I've had enable.  I also believe in firewalls, for what ACLs can't do.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.