Firewalls: Re: Notes from Firewalls BOF at USENIX LISA Conference

Firewalls
(December 1992)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Notes from Firewalls BOF at USENIX LISA Conference
From:	Mike Minnich <minnich @ wind . es . dupont . com>
Date:	Thu, 03 Dec 92 13:44:25 -0500
To:	Brent Chapman <brent @ GreatCircle . COM>
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	Your message of "Thu, 03 Dec 92 08:13:07 PST." <9212031613 . AA18035 @ mycroft . GreatCircle . COM>

Brent,

NTP is fine as it uses port 123 for both source and destination port.

As for BIND, it's not quite as simple as that.  One problem I've run into
is that your firewall host will typically run named, which implies that
UDP socket 23 is bound to it.  If you want to point nslookup at
another server, you can't if your incoming filters only allow dest port 23 --
nslookup ends up using a source port >1023 which results in the following:

> server ns.nic.ddn.mil.
Default Server:  ns.nic.ddn.mil
Address:  192.112.36.4

> set type=ns
> .
Server:  ns.nic.ddn.mil
Address:  192.112.36.4

*** Request to ns.nic.ddn.mil timed-out

>

Mike

References:

Re: Notes from Firewalls BOF at USENIX LISA Conference
From: Brent Chapman <brent @ GreatCircle . COM>

Indexed By Date	Previous:	Re: Notes from Firewalls BOF at USENIX LISA Conference From: smb @ research . att . com
Indexed By Date	Next:	proxy gopher? From: "USA::JMA21624" <JMA21624%USA . decnet @ usav01 . glaxo . com>
Indexed By Thread	Previous:	Re: Notes from Firewalls BOF at USENIX LISA Conference From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Thread	Next:	Re: Notes from Firewalls BOF at USENIX LISA Conference From: smb @ research . att . com