Great Circle Associates Firewalls
(July 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: Ken Jones <kenj @ group1 . com>
Date: Thu, 21 Jul 1994 10:24:38 -0700 (PDT)
To: plarkin @ iphase . com
Cc: firewalls @ greatcircle . com
In-reply-to: <9407211641 . AA27917 @ chip . iphase . com> from "Patrick Larkin Jr" at Jul 21, 94 11:41:13 am

> 
> In article <9407210641 .
 AA22761 @
 cwa .
 com>, uunet!cwa .
 com!dmurphy @
 iphase .
 com (Dan M
> urphy) writes:
> > Unless I'm mistaken, archie (and xarchie) use UDP, not TCP. Most of the
> > networks belonging to the "anything not permitted is forbidden" school,
> > I believe, tend to drop all UDP traffic as inherently insecure.
> 
> So, what are the risks of letting UDP thru the firewall onto any
> internal machine?  We wanted to use SOCKS to proxy (most) everything
> so that we can get user accounts off our bastion and deny any 
> packet not from the bastion from getting in. This does break archie.
> 
> I'm told there is a socks-like thing that operates on UDP.
> 
> Any thoughts or suggestions on the risks and administration complexity 
> of allowing UDP in vs using this proxy thing?
> 
> Thanks,
> -- 
> +========================================================================+
> | PATRICK H LARKIN, JR. - System Administrator, Interphase Corp, Dallas  |
> |>----------------------------------------------------------------------<|
> | Internet: PLarkin @
 Iphase .
 COM  | Home: ..uunet!iphase!mustang!patrick   |
> | Compuserve:  "Why?"           | MCI-Mail: (forwarded to Compuserve)    |
> |   FaxNet: (214) 919-9200      |  Prodigy: "You've GOT to be kidding"   |
> +========================================================================+

My understanding is letting in udp packets on ports >1023 is generally
safe, as the only listeners on those ports are clients such as archie
waiting for a specific response.

You also (if you are running unix) need to check /etc/services to
verify there isn't anything configured to listen to ports above 1023
by default.

-- 
   Ken Jones      | Group One, Ltd.    |
 kenj @
 group1 .
 com  | 220 Bush St. #350  |
Systems / Network | San Francisco, Ca. |
 Administrator    | 94104              |


Follow-Ups:
References:
Indexed By Date Previous: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: ericm @ MicroUnity . com (Eric Murray)
Next: Smart Cards
From: David Dillow <il1 @ dswpa . dsdoe . ornl . gov>
Indexed By Thread Previous: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: ericm @ MicroUnity . com (Eric Murray)
Next: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: nreadwin @ london . micrognosis . com (Neil Readwin)

Google
 
Search Internet Search www.greatcircle.com