Date: Mon, 27 Jul 1998 10:33:29 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: "Jan B. Koum " <jkb@best.com> Cc: sthaug@nethelp.no, j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity Message-ID: <Pine.BSF.3.96.980727101913.8094A-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.3.96.980727021508.4055A-100000@shell6.ba.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Jul 1998, Jan B. Koum wrote: > Hmm.. You sure? Not according to Stevens and my tcpdump: > > >- You can't know the source port in zone transfers initiated from your > >own name server. It won't be 53 - remember that zone transfers are > >performed by a separate program (named-xfer). > > This is from running "host -l some.host" in the other xterm: > > 02:15:05.598279 nfr.2509 > 209.157.102.11.domain: S > 3408638927:3408638927(0) win 16384 <mss 1460,nop,wscale0,nop,nop,timestamp > [|tcp]> (DF) > [snip] > > It is going from my host, nfr to the nameserver, 209.157.192.11, > destination port 53 using tcp. > Replies are coming back from 209.157.192.11, port 53 using tcp > back to me. I don't see how this is "won't be 53" -- am I missing > something in this picture? Does this differ on NT/Windows/Macintosh? I don't know if they have the same concept of "reserved ports" as they don't tend to have the same trust model that NFS/rsh/etc use. I've never checked to see whether Mac/Windows95 allocate ports <1024 for outgoing connections. Under NT, anyway, one assumes they don't so that various services can run on them unhindered? I could easily see some Microsoft programmer saying "hmm. I'll make an outgoing connection from port 867 on this machine to port 23 on that one.." :) Stevens' new unix network programming book has port range information for BSD, Solaris, but no microsoft/etc info (it being a UNIX network programming book :). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980727101913.8094A-100000>