Firewall Wizards mailing list archives
Re: Interesting DNS Traffic -Reply
From: Chris Calabrese <christopher_calabrese () merck com>
Date: Thu, 03 Jun 1999 09:46:14 -0400
Here's what the IANA (http://www.isi.edu/in-notes/iana/assignments/port-numbers) has to say on the subject: The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023. The Registered Ports are those from 1024 through 49151 The Dynamic and/or Private Ports are those from 49152 through 65535 Both Well Known Ports and Registered Ports are set aside for listeners (the difference between them has to do with the level of privilege needed in various OS's to access different port numbers). It's the Dynamic ports that programs are supposed to use to connect _from_. Therefore, the only stance we can take on this based on the RFC's is that the firewall should allow connections only from 49152-65535. Experience tells me this isn't going to work. In most OS implementations, ordinary user processes get ports above 1023 when asking for a port to call out on, and privileged processes may request the lower numbered ports. OS' without the concept of privilege obviously can't follow this model. Sounds like a pretty weak model to base a firewall rule on. Not to mention, why exactly should you care what port the connection is coming from? Unless you can guarantee that the connection is coming from a machine you administer, there's no reason to trust any port more than any other port. Guaranteeing where the connection came from, in this context, means either strong/crypto authentication or a very small number of IP's in address ranges that the firewalls guarantee come from a particular net segment where you physically control that net segment and all the paths leading to it. -- Chris Calabrese Internet Infrastructure and Security Merck-Medco Managed Care, L.L.C. christopher_calabrese () merck com
Current thread:
- Re: Interesting DNS Traffic, (continued)
- Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
- Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
- Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)
- Re: Interesting DNS Traffic -Reply Chris Calabrese (Jun 03)