[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall question...

>>>>> "PB" == Peter Billson <pete@elbnet.com> writes:
    PB> Paranoia. Generally accepted practice when setting up a
    PB> firewall is to be as restrictive as possible without breaking
    PB> things, that includes restricting the originating ports.  

I don't see what you can gain by this though.  

    PB> For
    PB> example I want to give people access to port 80 but if someone
    PB> is trying to connect to port 80 from port 25 their system is
    PB> either broken or they are attempting to do something that you
    PB> probably don't want them to do. 

How is this any different than people connecting from any port that
has an IANA registered purpose for a server?  I think I understand
what you are saying, but I don't see the fundamental difference
between port 25 and, say, 6001.  These only have meanings when
something is listening on them, not as source ports.

    PB> There is no good reason to
    PB> allow that connection.  Thanks for the Windows info but I
    PB> don't understand how can they not have the "notion" of
    PB> privledged ports? 

Hmm.  Well they don't.  In the 95/98/etc range there's no 'root' 
to have the privilege.  I am unsure if NT variants require some
admin privileges to use these ports.  All AFAIK, but I've seen 
95 use < 1024 ports for TCP.

    PB> Aren't "privledged" ports just generally
    PB> accepted port assignments?  And I'm not sure that Windows is a
    PB> *good* reason! :-)

You probably cannot avoid talking to windows, and in this case they
are not breaking any protols.  The logical conclusion of what you are
suggesting would be to only accept connections coming from IANA's
epehemeral port range (49XXX onwards) in which case you cannot talk to
most Unices and Linux either.



Reply to: