Firewalls: Re: Firewalls Digest V1 #39

Firewalls
(December 1992)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewalls Digest V1 #39
From:	brian @ lloyd . com
Date:	Fri, 4 Dec 1992 10:33:55 -0800
To:	Firewalls @ GreatCircle . COM

>Bob Sutterfield <bob @
 MorningStar .
 Com> writes:
>
>#    Does anybody let UDP packets through firewalls?  Never let UDP
>#    through firewalls.
># 
># What about DNS and NTP and other such benign stuff?  They should all
># be handled by a proxy on the firewall or in a DMZ, right?
>
>  ...
>
>I haven't looked at NTP yet; none of the clients I've set up firewalls
>for have requested it.  If it uses a random port for one end of the
>connection, I don't see any safe way to let NTP traffic through a
>firewall that only looks at destination addresses; if you do, you'll
>also end up exposing all RPC-based services, like YP and so forth.

NTP uses port 123 for both ends of the conversation.  I have my UDP filters
set up to pass only symetrical traffic between ports 53 and 123.  It works.

Brian Lloyd                                       3420 Sudbury Road
brian @
 lloyd .
 com                                   Cameron Park, CA  95682
brian @
 angband .
 stanford .
 edu                        (916) 676-3442 - fax
(415) 725-1392                                    (916) 676-1147 - voice

Indexed By Date	Previous:	Re: Is the Balkanization of the InterNet inevitable? From: casey @ gauss . llnl . gov (Casey Leedom)
Indexed By Date	Next:	Re: Notes from Firewalls BOF at USENIX LISA Conference From: butterback @ mc . com (Brian Utterback)
Indexed By Thread	Previous:	Re: Is the Balkanization of the InterNet inevitable? From: shawni @ tis . llnl . gov (Shawn Instenes)
Indexed By Thread	Next:	[no subject] From: uworld!uucp @ uunet . UU . NET