Nmap Announce mailing list archives
Re: Intrusion detection question.
From: Michel Arboi <arboi () bigfoot com>
Date: 12 Feb 2000 19:35:58 +0100
[sorry if you already received this message. It bounced twice] Tomi Ollila <Tomi.Ollila () tfi net> writes:
In ip masquerading code I think it works pretty much the same as normal port allocation scheme. I think the port counter wraps when it hits the upper limit and it always checks whether the wanted 5-tuple (source ip, port - destination ip, port - protocol) is already used and takes the port that satisfies a non-used tuple.
That is a fundamental question and I never found a clear answer. RFC 793 does not explain how source ports numbers are allocated. It just states that different programs on one machine should use different port numbers. AFAIK, Unix will never allocate the same TCP port numbers for client programs connecting to different servers, althought it could perfectly do it and comply to RFC 793. As it is not in the norm, it should be a way to identify the OS, unless everybody uses the same algorithm (first free port?) Of course, the answer is quite simple for UDP, as it is not connected. IMHO, this question is important for big sites : the number of available "client ports" on the firewall (proxy or NAT) will limit the number simultaneous connections from the internal network to wild wild Internet. -- mailto:arboi () bigfoot com http://www.bigfoot.com/~arboi/ PGP Public keys: http://www.bigfoot.com/~arboi/pubkey.txt
Current thread:
- Intrusion detection question. Daniel Swan (Feb 09)
- Re: Intrusion detection question. Vanja Hrustic (Feb 09)
- Re: Intrusion detection question. Jose Nazario (Feb 10)
- fooling nmap Bep Verberk (Feb 10)
- Re: fooling nmap Lance Spitzner (Feb 10)
- Re: fooling nmap CyberPsychotic (Feb 11)
- Re: fooling nmap Vanja Hrustic (Feb 11)
- Re: fooling nmap The Cyberiad (Feb 11)
- Re: Intrusion detection question. Vanja Hrustic (Feb 09)
- Re: Intrusion detection question. Tomi Ollila (Feb 10)
- Re: Intrusion detection question. Michel Arboi (Feb 14)
- Re: Intrusion detection question. Tomi Ollila (Feb 21)