[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: allowing anybody to bind low ports



Oops, I meant to group-reply but didn't.  (Fake reply)

On Wed, Feb 25, 1998 at 01:05:40PM -0500, Matthew E. Patton wrote:
> It's for a firewall machine. Has no user accounts except an operator and is
> basically a packet filter, protocol proxy and DNS host. It doesn't handle mail
> as yet and I'm not sure it will ever. I intend to propagate the same kernel to

I disagree with the idea of having a firewall handle other services.  The
purpose of a firewall is to filter, allow, deny, and log requests to things
both on the inside and outside.  Having other services running on the firewall
degrades the security and increases the likelyhood of having a chance to break
in.  But anyway...

> another machine that serves as nntp and web server likewise with no user
> accounts. Is this a smart thing to do?

I don't think so.  Especially if you're running services on the machine.  If
someone broke into the machine and had completely access to ports <=1024,
they could run their *own* daemon on any port they wanted.  They could sit
on port 53 and block all DNS requests, sit on 25 and read everyone's mail, etc.

And especially since you're also using the machine as a proxy, you don't want
to do this.  You've got a proxy server listening on port 23 or 21 or whatever
that anyone with access to the machine can replace with their own daemon that
transparently logs and passes all traffic.  It would be fairly trivial to
modify squid to do something like this.

Scott

-- 
scott_(_at_)_storm:~$ cat .signature
Scott Smith
scott_(_at_)_lackluster_(_dot_)_net


Visit your host, monkey.org