Jim Hickstein writes:
|My archie client seems to want me to let UDP packets to ports >1000
|through my router to/from my firewall. Isn't this a Bad Idea? Must I
|tell my users that they should telnet somewhere, instead?
We too faced a problem with archie (well xarchie) because it used the
UDP-based prospero protocol. Since we use a router to filter out all
UDP (well inbound any way), we couldn't talk prospero with the outside
world, ie xarchie died. As you'd expect, users weren't too happy. So
the solution I implemented was to ensure that xarchie was able to bind
to 901 for its prospero (basically I made it setuid and added a couple
of setreuids). The only UDP I now allow in thru the router is anything
which has a destination of 901 on our subnet. Does anyone see any
potential (or even glaringly obvious) problems with this?
Tim F O'Donoghue <tim @