On Mon, Oct 27, 2008 at 09:55:56PM +0100, Lennart Poettering wrote:
But dynamical ports are not new to iptables, lots of protocols, be that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom rectify the `static firewall' view.
But all those protocols start the connection with a well known port and then hand things off to a dynamic port. If you use truely random ports than iptables needs to sense what kind of protocol something is based on the packet contents. Which security-wise is a joke, and hence the whole idea makes no sense.
And there are services that use truely random ports? E.g. w/o any handshaking or negotiation about these ports by well-defined processes? Why do we have mDNS/DNS-SD/SSDP for?
Just like FTP negotiates the `truely random' ports, so do the zeroconf techniques with ips/ports/services.
iptables/netfilter already has intelligent agents to parse the passing packages for needed dynamical firewall configration. Just check it out, and maybe you'll rethink about the netfilter project. :)
I haven't followed up the latest netfilter developments, but I know there is even a userspace lib for registering such connections. Maybe RB/mDNS and friends just need a pom `plugin'.
The Linux kernel already has an API for that. It's called listen().
Cool, so any local non-priviledged process could open up holes in the firewall above ports 1024 as it pleases w/o the user even noticing.
Why not remove password protection from accounts while we are at it? ;)