>
> In article <9407210641 .
AA22761 @
cwa .
com>, uunet!cwa .
com!dmurphy @
iphase .
com (Dan M
> urphy) writes:
> > Unless I'm mistaken, archie (and xarchie) use UDP, not TCP. Most of the
> > networks belonging to the "anything not permitted is forbidden" school,
> > I believe, tend to drop all UDP traffic as inherently insecure.
>
> So, what are the risks of letting UDP thru the firewall onto any
> internal machine? We wanted to use SOCKS to proxy (most) everything
> so that we can get user accounts off our bastion and deny any
> packet not from the bastion from getting in. This does break archie.
>
> I'm told there is a socks-like thing that operates on UDP.
>
> Any thoughts or suggestions on the risks and administration complexity
> of allowing UDP in vs using this proxy thing?
>
> Thanks,
> --
> +========================================================================+
> | PATRICK H LARKIN, JR. - System Administrator, Interphase Corp, Dallas |
> |>----------------------------------------------------------------------<|
> | Internet: PLarkin @
Iphase .
COM | Home: ..uunet!iphase!mustang!patrick |
> | Compuserve: "Why?" | MCI-Mail: (forwarded to Compuserve) |
> | FaxNet: (214) 919-9200 | Prodigy: "You've GOT to be kidding" |
> +========================================================================+
My understanding is letting in udp packets on ports >1023 is generally
safe, as the only listeners on those ports are clients such as archie
waiting for a specific response.
You also (if you are running unix) need to check /etc/services to
verify there isn't anything configured to listen to ports above 1023
by default.
--
Ken Jones | Group One, Ltd. |
kenj @
group1 .
com | 220 Bush St. #350 |
Systems / Network | San Francisco, Ca. |
Administrator | 94104 |
Follow-Ups:
References:
|
|
