Subject: Re: bind (was: Is my ipfilter list secure?)
To: None <netbsd-users@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 04/30/2002 12:35:44
[ On Tuesday, April 30, 2002 at 05:44:18 (+0000), Jim Breton wrote: ]
> Subject: Re: bind (was: Is my ipfilter list secure?)
>
> Wouldn't one be better off just using the randomly-selected source port
> and ipf's stateful filtering?
If I'm not mistaken the source port is not randomly selected per query.
It's randomly selected per named instance. This is because with a
connection-less protocol in the world of sockets it's necessary to
listen on the source port for replies. You wouldn't want your named
process to be listening on a random selection of ports for the duration
of a given set of queries, would you? I know I wouldn't! :-)
With connection-less protocols like DNS queries I personally think it's
better to always use the same source and destination port. This makes
it much easier to manage the traffic, at least in my experience with
relatively simple stateful packet filters such as IP Filter. It also
seems to make it easier to diagnose problems and to analyze on-wire
traffic. Finally it makes it easier to prove that the 'named' process
isn't listening on any weird random port for no good reason.... :-)
--
Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>