Controlling ports used by natd
Mike Silbersack
silby at silby.com
Tue Dec 23 01:29:07 PST 2003
On Mon, 22 Dec 2003, Brett Glass wrote:
> Good idea. One might also want to set a separate pair of sysctl variables
> to control the range of ports selected by libalias, just in case the
> administrator wanted to reserve distinct ports for NAT.
>
> --Brett
I think that it might be best to keep choosing ports inside of libalias.
Adding yet another port range would just complicate the kernel more
without much benefit.
You know, since we're talking about blocking specific ports, port ranges
for specific applications, etc... it almost sounds like this is a firewall
issue. ipfw can already filter by uid, and you can already deny packets
to / from port ranges, so maybe it would be possible to add a quick hack
into the port binding routines that would check to see if sending a packet
to / from that port would be valid before completing the bind. Of course,
that would only give you deny capabilities, but I think that might be good
enough for your purposes, and it should be relatively straightforward to
implement. Also, it would not break ephemeral port binding, as that piece
of code will simply try all possible ports in the range before giving up.
Unfortunately, I'm not familiar with ipfw's internals at all, I do not
know how easy it would be to query it for allow / deny with just a few
bits of ip information.
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list