Controlling ports used by natd
Charles Swiger
cswiger at mac.com
Sun Dec 14 11:40:49 PST 2003
On Dec 12, 2003, at 7:19 PM, Barney Wolff wrote:
> I have a real philosophical problem with ceding ports to worms, viruses
> and trojans. Where will it stop? Portno is a finite resource.
This is a respectable position, but the notion of categorizing ranges
of ports into an association with a security policy already exists:
bindresvport().
Perhaps one could argue that this limitation isn't that meaningful now
that it's unfortunately common for malware to be running with root
privileges-- or the Windows equivalent, more likely. Still, if you and
your users don't run untrusted programs as root, system permissions
will prevent malware from acting as a rogue
DHCP/DNS/arp/routed/NMBD/whatever server, sniffing the local network,
etc...all of which contributes to slowing down the opportunities for
and rate at which a worm spreads.
--
-Chuck
More information about the freebsd-net
mailing list