Re: Intrusion detection question.

[Tomi Ollila <Tomi.Ollila () tfi net>]

 Feb 10 09:51:15 +0100 2000 Michel Arboi <arboi () bigfoot com> wrote:
> A couple of ideas:
> - are there different allocation algorithms for source ports? 
> e.g., first free port above 1023, or random free port above 1023...

It would be nice is Linux IP masquerading code would allocate the ports
from the same space than normal connections originating from the
box. (maybe some trickery needed to make everything behave well but
anyway). But since Linux 2.4.x will use Netfilter which offers more
sophisticated NAT features than the current Linux 2.2 masquerading code
I doupt any change will be developed for "current" code.

It is pretty easy th change the port range from 61000-65000 from ip
masquerading code in Linux sources. Maybe just the #defines that sets the
range is enough to do the change (better to check that nothing else breaks...)

> - when will a TCP port be reused once the connection is closed? 

In ip masquerading code I think it works pretty much the same as normal
port allocation scheme. I think the port counter wraps when it hits the
upper limit and it always checks whether the wanted 5-tuple 
(source ip, port - destination ip, port - protocol) is already used and 
takes the port that satisfies a non-used tuple.

> mailto:arboi () bigfoot com   http://www.bigfoot.com/~arboi/

Tomi