Security Incidents mailing list archives
Re: Advice sought
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Tue, 27 Feb 2001 11:20:01 -0700
On Tue, 27 Feb 2001, John Lampe wrote:
What are the chances that several computers on a network all made connections to the same external IP, using the same src port?
High, if the protocol is DNS. Many will use 53 as a source, and they will all want to go talk to the root servers. However...
Does the firewall NAT outgoing connections with src port = 3967)? If so, what is the firewall? :-)
Most NAT inplementations will translate source ports within their
privilege range. I.e. 53, being less that 1024 would tend to PAT to a
source of <1024 as well. Of course, if a NAT device is translating them
all to the same source port to the same IP, then it's obviously quite
broken.
I've had Firewall-1 step on it's own state table under the above DNS
example.
Ryan
Current thread:
- Advice sought Mike Alexander (Feb 26)
- Re: Advice sought Russell Fulton (Feb 27)
- Re: Advice sought John Lampe (Feb 27)
- Re: Advice sought Ryan Russell (Feb 27)
- Re: Advice sought John Lampe (Feb 28)
- Re: Advice sought John Lampe (Feb 27)
- Re: Advice sought Russell Fulton (Feb 27)