Received: from localhost (unknown [200.46.204.183])
	by postgresql.org (Postfix) with ESMTP id E314B6501D0
	for <pgsql-www-postgresql.org@postgresql.org>;
	Fri, 25 Jul 2008 17:44:41 -0300 (ADT)
Received: from postgresql.org ([200.46.204.86])
	by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024)
	with ESMTP id 10298-02 for <pgsql-www-postgresql.org@postgresql.org>;
	Fri, 25 Jul 2008 17:44:34 -0300 (ADT)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from sss.pgh.pa.us (sss.pgh.pa.us [66.207.139.130])
	by postgresql.org (Postfix) with ESMTP id 736866501CA
	for <pgsql-www@postgresql.org>; Fri, 25 Jul 2008 17:44:35 -0300 (ADT)
Received: from sss2.sss.pgh.pa.us (tgl@localhost [127.0.0.1])
	by sss.pgh.pa.us (8.14.2/8.14.2) with ESMTP id m6PKiW8G000573;
	Fri, 25 Jul 2008 16:44:32 -0400 (EDT)
To: Andrew Sullivan <ajs@commandprompt.com>
cc: pgsql-www@postgresql.org
Subject: Re: Insecure DNS servers on PG infrastructure 
In-reply-to: <20080725154048.GE29775@commandprompt.com> 
References: <26210.1216998123@sss.pgh.pa.us>
	<20080725154048.GE29775@commandprompt.com>
Comments: In-reply-to Andrew Sullivan <ajs@commandprompt.com>
	message dated "Fri, 25 Jul 2008 11:40:49 -0400"
Date: Fri, 25 Jul 2008 16:44:32 -0400
Message-ID: <572.1217018672@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: No, hits=0 tagged_above=0 required=5 tests=none
X-Spam-Level: 
X-Archive-Number: 200807/134
X-Sequence-Number: 15564

Andrew Sullivan <ajs@commandprompt.com> writes:
> On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote:
>> If it says FAIR or POOR then you have an unpatched server or there
>> is something interfering with the port randomization.  If the server
>> is behind a NAT firewall then the latter is entirely likely.

> There's no reason that a NAT should do that, if the device is
> competently built: if you randomise source ports on the inside, the
> NAT device could just use the same port on the outside.

I'm not convinced that that's true.  If the router is trying to forward
UDP messages arriving from several "inside" IP addresses using only one
"outside" address, it has to deal with the possibility of collisions,
ie two "inside" addresses using the same port number at about the same
time.  So it doesn't surprise me that it rewrites the port numbers.
If it assigned randomly-generated substitute numbers there'd be no
problem, but with no prior knowledge that would be a good idea you can
hardly blame the router authors for not indulging in extra complexity.

What I do know is that my own firewall hardware (a Netopia T1 router
that's two or three years old) *was* rewriting UDP port numbers on
requests from a machine that was sharing a NAT address with others.
After remapping to give that machine its own "outside" IP address,
it stopped doing so.  BTW the porttest.dns-oarc.net service was
invaluable in testing this; I'd probably have thought that just
installing the new BIND made me safe, if I hadn't had a way to test it.

			regards, tom lane