binding to privileged ports
Tomi Ollila
Tomi.Ollila at sonera.com
Tue Oct 10 16:52:30 EST 2000
Monday Oct 9 22:39:15 +0200 2000 Kevin Steves <stevesk at sweden.hp.com> wrote:
> :
> : It's a bit of a special case, but I think quite a few firewalls are
> : constructed in this way.
>
> Are you filtering connections via source port? If so, how does that
> increase the security of your firewall? The use of source port <1024 as
> a security mechanism is flawed.
Source port becomes destination port when other end sends packets to it,
and in stateless packet filtering that then blocks also returning packets
to outgoing connections. I had this problem when I had a FW that was only
meant to forward packets and not to allow incoming connections -- all
connections to ports below 1024 was disallowed. I remember asking how to
solve that problem last spring and remember Markus Friedl kindly replying
a solution of not using privileged port.
Now that I read about this having only ports < ~850 disallowed I can see
an idea behind it (hey, might even myself use it!), and like to see
solution for it, either provide a configuration option that tells what
is the lowest port to bind, or start scanning from 1023 downwards...
The lucky thing is that one can always compilile a self-patched version
of the ssh suite to fulfill one's (possibly) marginal needs.
Tomi Ollila
More information about the openssh-unix-dev
mailing list