Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: DNS and NAT (was: DNS and CheckPoint)
From: Ryan McBride <mcbride () openbsd org>
Date: Wed, 16 Jul 2008 16:07:21 +0900

Someone just drew my attention to this thread.

On Thu, Jul 10, 2008 at 07:41:32PM -0400, Thomas Cross wrote:
   We?ve also been wondering whether NAT devices ought to randomly assign
   UDP source ports, although no NAT vendor that we?re aware of has done
   this to date. 

OpenBSD's packet filter, pf (also available in the other BSDs and a
number of commercial products based on them), randomizes the source port
by default for all NATed TCP and UDP connections using an rc4-based
pseudo-random number generator, and has done so since 2000.

We've been suggesting for quite some time that everyone randomize source
ports (among other network values) wherever possible.  Will the holdout
vendors finally start doing this, or will they wait for yet another
vulnerability that can be mitigated by it?


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]