Date: Sun, 14 Dec 2003 15:31:01 -0500 From: Barney Wolff <barney@databus.com> To: Charles Swiger <cswiger@mac.com> Cc: net@freebsd.org Subject: Re: Controlling ports used by natd Message-ID: <20031214203101.GA5552@pit.databus.com> In-Reply-To: <72143632-2E6D-11D8-824E-003065A20588@mac.com> References: <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com> <72143632-2E6D-11D8-824E-003065A20588@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 14, 2003 at 02:41:00PM -0500, Charles Swiger wrote: > On Dec 12, 2003, at 7:19 PM, Barney Wolff wrote: > >I have a real philosophical problem with ceding ports to worms, viruses > >and trojans. Where will it stop? Portno is a finite resource. > > This is a respectable position, but the notion of categorizing ranges > of ports into an association with a security policy already exists: > bindresvport(). > > Perhaps one could argue that this limitation isn't that meaningful now > that it's unfortunately common for malware to be running with root > privileges-- or the Windows equivalent, more likely. Still, if you and > your users don't run untrusted programs as root, system permissions > will prevent malware from acting as a rogue > DHCP/DNS/arp/routed/NMBD/whatever server, sniffing the local network, > etc...all of which contributes to slowing down the opportunities for > and rate at which a worm spreads. The difference is who gets to decide that a port or port range is reserved. I'm happy to cede authority to the IANA, or other standards body. I'm not willing to cede it to malware writers. Regardless of philosophy, correctly configured stateful firewalls do not need to prevent ordinary programs from binding particular source port numbers to prevent access to and spread of worms. It's enough to block particular dest ports on requests.* Statefulness is required to tell a UDP request from a response. * Actually, a sensible firewall config allows only needed ports and blocks all others. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031214203101.GA5552>