>Bob Sutterfield <bob @
># Does anybody let UDP packets through firewalls? Never let UDP
># through firewalls.
># What about DNS and NTP and other such benign stuff? They should all
># be handled by a proxy on the firewall or in a DMZ, right?
>I haven't looked at NTP yet; none of the clients I've set up firewalls
>for have requested it. If it uses a random port for one end of the
>connection, I don't see any safe way to let NTP traffic through a
>firewall that only looks at destination addresses; if you do, you'll
>also end up exposing all RPC-based services, like YP and so forth.
NTP uses port 123 for both ends of the conversation. I have my UDP filters
set up to pass only symetrical traffic between ports 53 and 123. It works.
Brian Lloyd 3420 Sudbury Road
com Cameron Park, CA 95682
edu (916) 676-3442 - fax
(415) 725-1392 (916) 676-1147 - voice