Firewall Wizards mailing list archives

Re: Interesting DNS Traffic -Reply -Reply

From: Einar EINARSSON <einar.einarsson () iea org>
Date: Thu, 03 Jun 1999 18:16:00 +0100

OK, packet filters are not the definitive answers to network
insecurity, there are weaknesses, etc. but still it won't hurt if
I put a few of those in there, right ? So as try to put together
the filtering rule for DNS flow, for example, and given that the
idea of a packet filterng router is to open up as few ports as
possible, and given that one of the few things useful in a
packet header, for this purpose, are source and destination
ports, how can I write the rule if some DNS lookups
implementatons use one source port range and other use
another port range ? I mean how on earth do you program a
router under such circumstances ? 

Einar

Chris Calabrese <christopher_calabrese () merck com>

6/3/99  2:46 pm >>>
Here's what the IANA
(http://www.isi.edu/in-notes/iana/assignments/port-numbers)
has to say on the subject:

     The port numbers are divided into three ranges: the Well
Known
     Ports,
     the Registered Ports, and the Dynamic and/or Private
Ports.

     The Well Known Ports are those from 0 through 1023.

     The Registered Ports are those from 1024 through 49151

     The Dynamic and/or Private Ports are those from 49152
through
     65535

Both Well Known Ports and Registered Ports are set aside
for listeners
(the difference between them has to do with the level of
privilege needed in various OS's to access different port
numbers).  It's the
Dynamic ports that programs are supposed to use to
connect _from_.
Therefore, the only stance we can take on this based on the
RFC's is that the firewall should allow connections only from
49152-65535.
Experience tells me this isn't going to work.

In most OS implementations, ordinary user processes get
ports above 1023 when asking for a port to call out on, and
privileged processes may request the lower numbered ports. 
OS' without the concept of privilege obviously can't follow this
model.  Sounds like a pretty weak model to base a firewall
rule on.

Not to mention, why exactly should you care what port the
connection is coming from?  Unless you can guarantee that
the connection is coming from a machine you administer,
there's no reason to trust any port more than any other port. 
Guaranteeing where the connection came from, in this
context, means either strong/crypto authentication or a very
small number of IP's in address ranges that the firewalls
guarantee come from a particular net segment where you
physically control that net segment and all the paths leading
to it.

--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
christopher_calabrese () merck com

Current thread:

Re: Interesting DNS Traffic The Unicorn (Jun 01)
- <Possible follow-ups>
- Re: Interesting DNS Traffic Robert Graham (Jun 01)
  - Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
  - Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
  - Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
  - Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)
- Re: Interesting DNS Traffic -Reply Chris Calabrese (Jun 03)