Hi,
At 13:13 21/06/01 +0200, Reckhard, Tobias wrote:
> > > There is a notion that source ports above 1023 are 'safer' than those
> > > up to there. This is due to the fact that in UNIX only root may use
> > > those ports.
> >
> > You got it just the wrong way around; ports _below_ 1024 are root-only.
> > The rest are free-for-all. Or did I misunderstand you?
> >
>No, I mucked that up. You are right, only root may use port 1-1023. However,
>that seems to be the notion behind trusting source ports above 1023 more
>than those that are accessible only to root.
Yes, the reason is not the root access (otherwise, it would be the
opposite! one
trusts privileged ports more than others. This is what rsh/rlogin/* do for
example).
The fact that people allow access to ports higher than 1024 has to do with the
fact that replies to legitimate packets (generally) go to such ports. More
precisely, they
go to ephemeral ports, which are generally those in the range 1024-5000
(Some systems
may change this -and admins may change them too).
> The only place I can see that
>making any sense is in a LAN of UNIX machines with a single root password,
>but maybe I'm not imaginative enough. Anyhow, thanks for correcting what I
>said, that was a slip-up.
In the absolute, allowing access to any port (unless some specific ones) is
a risk.
With static filters however, there is no way to allow responses to
legitimate packets.
so the solution is to allow packets going to the source ports of these
legitimate
packets. and in general, these are ephemeral ports, and are thus in the range
1024-5000. the feeling of security is that if someone tries to exploit say
port 1234,
then he must have a trojan listening on this port. This is still possible
but the only
solution is to use a dynamic filter (anyone that "remembers" legitimate
packets so that
it can allow responses) or proxies.
[snip]
cheers,
mouss
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
