Re: solution time for www/smtp hole

William C Fenner (
Fri, 13 Aug 1993 12:21:53 -0400

My apologies, I sent this to Marc personally the first time.

On Fri, 13 Aug 93 01:27:32 -0500 Marc Andreessen wrote:
> With that in mind, suppose we take the approach of only outlawing a
> few ports as opposed to restricting the valid range to a given set
> (both approaches have been suggested). What ports other than 25
> should be outlawed?

I don't think that exclusion is the way to go. If we're going to exclude
any services listed in the Assigned Numbers RFC (rfc1340 right now) that
look like they might be dangerous, we'd better exclude 71-74 (Remote Job
Service), 82 (XFER Utility), etc. Most of the "funky" ports that are
currently in use are already officially assigned to something else, and
when you connect to port 82 on you can't be sure whether
you're getting the XFER utility or the httpd that someone stuck on some
random port.

With exclusion, you can never be sure that you excluded enough.

Yes, it will require people to redo their configurations, but arguably,
any configuration with an HTTP server running on a port <1024 != 80 is
wrong. I think that any non-experimental additional HTTP servers should
either get assigned numbers from the IANA or use ports >1024 .