At 07:18 PM 12/12/2003, Barney Wolff wrote: >In fact, your real problem is with lazy >firewalls that can't tell UDP responses from requests. A stateless >firewall is an ACL, not a firewall. That works not so badly for TCP >but is simply inadequate for UDP.
Not so. A stateful firewall on UDP might keep a worm from getting in, but it could still propgagate out. We don't want them getting through in either direction (especially since we don't want our users infecting one another). So, a full block of the port is appropriate. Especially since, in most cases, that port isn't a service that would be safe to use across the Net. Ports 135, 137, and 139, for example, should be blocked not only because they can spread worms and popup spam but because they should not be used on the open Internet. --Brett _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
