Re: solution time for www/smtp hole
William C Fenner <fenner@herman.cmf.nrl.navy.mil>
Message-id: <9308131621.AA00513@herman.cmf.nrl.navy.mil>
To: www-talk@nxoc01.cern.ch
Subject: Re: solution time for www/smtp hole
In-reply-to: Your message of "Fri, 13 Aug 93 01:27:32 CDT."
<9308130627.AA22370@wintermute.ncsa.uiuc.edu>
Date: Fri, 13 Aug 1993 12:21:53 -0400
From: William C Fenner <fenner@herman.cmf.nrl.navy.mil>
Status: RO
My apologies, I sent this to Marc personally the first time.
On Fri, 13 Aug 93 01:27:32 -0500 Marc Andreessen wrote:
> With that in mind, suppose we take the approach of only outlawing a
> few ports as opposed to restricting the valid range to a given set
> (both approaches have been suggested). What ports other than 25
> should be outlawed?
I don't think that exclusion is the way to go. If we're going to exclude
any services listed in the Assigned Numbers RFC (rfc1340 right now) that
look like they might be dangerous, we'd better exclude 71-74 (Remote Job
Service), 82 (XFER Utility), etc. Most of the "funky" ports that are
currently in use are already officially assigned to something else, and
when you connect to port 82 on joe.random.host you can't be sure whether
you're getting the XFER utility or the httpd that someone stuck on some
random port.
With exclusion, you can never be sure that you excluded enough.
Yes, it will require people to redo their configurations, but arguably,
any configuration with an HTTP server running on a port <1024 != 80 is
wrong. I think that any non-experimental additional HTTP servers should
either get assigned numbers from the IANA or use ports >1024 .
Bill