[LINK] OT(?) UDP above port 32767
Chris Maltby
chris at sw.oz.au
Wed Feb 7 15:19:18 AEDT 2007
On Tue, Feb 06, 2007 at 06:13:24PM -0800, Glen Turner wrote:
> You'll often see outgoing firewall rules which try to prevent
> unauthorised servers on a host -- so if it is compromised the
> bot has difficulty getting commands from the bot master. These
> might code the ephemeral port range for that particular machine
> (since the OS is known, the convention is known). Having a rule
> covering all machines is rather difficult because of the wide
> range of operating system conventions, which is a problem if you
> are trying to control peer-to-peer traffic.
>
> Since the ephemeral ports are merely a convention, I'm not
> sure there would be any safe use on an incoming firewall
> rule unless it is to a FTP server (which should be in the
> DMZ anyway). I suppose you could deny all incoming connections
> to them, but that is merely a special case of denying all
> unknown incoming connections.
It's worth noting that the packet filtering stuff in OpenBSD has
remote OS detection stuff built in (not that it can be relied on).
You can, in theory, build rulesets which can filter based on whether
the remote port number is ephemeral - noting the above caveats.
Chris
More information about the Link
mailing list