tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Source port randomisation on NetBSD?



On Mar 16,  3:30pm, Stephane Bortzmeyer wrote:
} On Sun, Oct 24, 2010 at 07:28:30PM +0200,
}  Geert Hendrickx <ghen%telenet.be@localhost> wrote 
}  a message of 25 lines which said:
} 
} > ipfilter/ipnat can do source port randomisation on NetBSD (since the
} > Kaminsky DNS issue).
} 
} I must confess it is a bit terse to me. Does it mean that you need to
} enable the firewall on the NetBSD machine, and scramble packets which
} were generated with a predictable port number? It seems odd. (Unless
} you refer only to NetBSD-as-a-router, while I was talking about
} NetBSD-as-a-host.)

     This would be more NetBSD-as-a-router.

} Also, ipnat(8) and ipnat(5), on a 5.0.1 machine, do not seem to
} explain about how to do it (and Google was not my friend here).

     If you're using ipnat, you don't need to do anything.  It's
automatic on NetBSD 4.0.1 or later.

NOTE: I believe that all reasonably recent versions of named
automatically use port randomisation.  Beyond this, I don't know what
real world benefits port randomisation brings, if any, for the vast
majority of hosts.  ipnat was changed to do port randomisation because
otherwise it would have turned named queries into sequential ports when
named was behind NetBSD-as-a-router.

}-- End of excerpt from Stephane Bortzmeyer


Home | Main Index | Thread Index | Old Index