Re: Interesting DNS Traffic -Reply

[Chris Calabrese <christopher_calabrese () merck com>]

Here's what the IANA
(http://www.isi.edu/in-notes/iana/assignments/port-numbers) has to say
on the subject:

     The port numbers are divided into three ranges: the Well Known
     Ports,
     the Registered Ports, and the Dynamic and/or Private Ports.

     The Well Known Ports are those from 0 through 1023.

     The Registered Ports are those from 1024 through 49151

     The Dynamic and/or Private Ports are those from 49152 through
     65535

Both Well Known Ports and Registered Ports are set aside for listeners
(the difference between them has to do with the level of privilege
needed in various OS's to access different port numbers).  It's the
Dynamic ports that programs are supposed to use to connect _from_.
Therefore, the only stance we can take on this based on the RFC's is
that the firewall should allow connections only from 49152-65535.
Experience tells me this isn't going to work.

In most OS implementations, ordinary user processes get ports above 1023
when asking for a port to call out on, and privileged processes may
request the lower numbered ports.  OS' without the concept of privilege
obviously can't follow this model.  Sounds like a pretty weak model to
base a firewall rule on.

Not to mention, why exactly should you care what port the connection is
coming from?  Unless you can guarantee that the connection is coming
from a machine you administer, there's no reason to trust any port more
than any other port.  Guaranteeing where the connection came from, in
this context, means either strong/crypto authentication or a very small
number of IP's in address ranges that the firewalls guarantee come from
a particular net segment where you physically control that net segment
and all the paths leading to it.

--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
christopher_calabrese () merck com