Date: Sat, 13 Dec 2003 01:16:22 -0500 From: Barney Wolff <barney@databus.com> To: Brett Glass <brett@lariat.org> Cc: net@freebsd.org Subject: Re: Controlling ports used by natd Message-ID: <20031213061622.GA45267@pit.databus.com> In-Reply-To: <6.0.0.22.2.20031212201423.04a0dec0@localhost> References: <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com> <6.0.0.22.2.20031212175801.04b066d8@localhost> <20031213021813.GA42371@pit.databus.com> <6.0.0.22.2.20031212201423.04a0dec0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 12, 2003 at 08:18:11PM -0700, Brett Glass wrote: > At 07:18 PM 12/12/2003, Barney Wolff wrote: > > >In fact, your real problem is with lazy > >firewalls that can't tell UDP responses from requests. A stateless > >firewall is an ACL, not a firewall. That works not so badly for TCP > >but is simply inadequate for UDP. > > Not so. A stateful firewall on UDP might keep a worm from getting in, > but it could still propgagate out. We don't want them getting through > in either direction (especially since we don't want our users infecting > one another). So, a full block of the port is appropriate. Especially > since, in most cases, that port isn't a service that would be safe to use > across the Net. Ports 135, 137, and 139, for example, should be blocked not > only because they can spread worms and popup spam but because they > should not be used on the open Internet. A stateful firewall is not limited to blocking inbound requests. If you want to block outbound requests to UDP port 12345, fine. But don't block a response from port 53 to your host's port 12345, and don't (if you run a nameserver) block a UDP packet from outside port 12345 to your nameserver's port 53, or the response. A stateful firewall, sensibly configured, can do all that; an ACL usually can't. I believe in ACLs and have configured them on every router for which I've had enable. I also believe in firewalls, for what ACLs can't do. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031213061622.GA45267>