* NAT - randomize the port selection
@ 2008-08-11 14:15 Pavol Rusnak
2008-08-20 13:24 ` Eric Leblond
2008-08-20 15:11 ` Jan Engelhardt
0 siblings, 2 replies; 3+ messages in thread
From: Pavol Rusnak @ 2008-08-11 14:15 UTC (permalink / raw)
To: netfilter-devel
Hello!
Recently there was an issue identified on DNS module about the need to
randomize the port selection. I'd like to know if this is already taken
care in NAT modules in iptables? Could you please let me know if port
selection is already randomized in these modules ?
--
Best Regards / S pozdravom,
Pavol RUSNAK SUSE LINUX, s.r.o
Package Maintainer Lihovarska 1060/12
PGP 0xA6917144 19000 Praha 9, CR
prusnak[at]suse.cz http://www.suse.cz
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: NAT - randomize the port selection
2008-08-11 14:15 NAT - randomize the port selection Pavol Rusnak
@ 2008-08-20 13:24 ` Eric Leblond
2008-08-20 15:11 ` Jan Engelhardt
1 sibling, 0 replies; 3+ messages in thread
From: Eric Leblond @ 2008-08-20 13:24 UTC (permalink / raw)
To: Pavol Rusnak; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 691 bytes --]
Hello,
On Monday, 2008 August 11 at 16:15:24 +0200, Pavol Rusnak wrote:
> Hello!
>
> Recently there was an issue identified on DNS module about the need to
> randomize the port selection. I'd like to know if this is already taken
> care in NAT modules in iptables? Could you please let me know if port
> selection is already randomized in these modules ?
Yes, an option is available since 2.6.21.
You can find some information here :
http://software.inl.fr/trac/wiki/contribs/RandomSkype
http://www.cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
BR,
--
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: NAT - randomize the port selection
2008-08-11 14:15 NAT - randomize the port selection Pavol Rusnak
2008-08-20 13:24 ` Eric Leblond
@ 2008-08-20 15:11 ` Jan Engelhardt
1 sibling, 0 replies; 3+ messages in thread
From: Jan Engelhardt @ 2008-08-20 15:11 UTC (permalink / raw)
To: Pavol Rusnak; +Cc: netfilter-devel
On Monday 2008-08-11 10:15, Pavol Rusnak wrote:
> Hello!
>
> Recently there was an issue identified on DNS module about the need to
> randomize the port selection. I'd like to know if this is already taken care
> in NAT modules in iptables? Could you please let me know if port selection is
> already randomized in these modules ?
If the client randomizes its source port, the NAT will obviously do the same.
Then there is --random for SNAT/MASQUERADE and others.
And now there has just been a patch merged to take some secure port number
it seems.
(http://marc.info/?l=netfilter-devel&m=121912048304189&w=2 )
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-08-20 15:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-08-11 14:15 NAT - randomize the port selection Pavol Rusnak
2008-08-20 13:24 ` Eric Leblond
2008-08-20 15:11 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.