Neil Moore-Smith wrote:
> > Now, the problem I see is that suddenly, ANY udp port locally is now
> > accessable as long as it originates from port 53 on the outside. This is a
> > massive security hole as far as I'm concerned.
> >
> > What can be done about this? Suggestions? Comments? ... Glynn? :)
>
>
> Surely, the only problem is when someone on the outside tries to connect to
> a port which is configured to respond with a service (telnet, SMTP, FTP
> etc)? Isn't the solution simply to restrict the port range on the ipfwadm
> command line, so that the only local ports that can be accessed are those
> which don't support a service?
Yes, but how do you determine if there will be something listening on
a given port?
Non-privileged programs can listen on anything > 1024. E.g. XEmacs'
gnuserv program (which allow commands to be sent to XEmacs using
gnuclient) listens on port 21490 + uid by default. Active-mode FTP
creates listening sockets for the data channel. Other programs may
also create listening sockets for whatever purpose.
Consequently, you need to restrict inbound traffic to those ports
which are known to be safe.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
