mailing list archives
Re: DNS and NAT (was: DNS and CheckPoint)
From: Ryan McBride <mcbride () openbsd org>
Date: Wed, 16 Jul 2008 16:07:21 +0900
Someone just drew my attention to this thread.
On Thu, Jul 10, 2008 at 07:41:32PM -0400, Thomas Cross wrote:
We?ve also been wondering whether NAT devices ought to randomly assign
UDP source ports, although no NAT vendor that we?re aware of has done
this to date.
OpenBSD's packet filter, pf (also available in the other BSDs and a
number of commercial products based on them), randomizes the source port
by default for all NATed TCP and UDP connections using an rc4-based
pseudo-random number generator, and has done so since 2000.
We've been suggesting for quite some time that everyone randomize source
ports (among other network values) wherever possible. Will the holdout
vendors finally start doing this, or will they wait for yet another
vulnerability that can be mitigated by it?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/