Firewalls: Re: archie and UDP

Firewalls
(March 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Re: archie and UDP
From:	tim @ canon . co . uk (Tim F O'Donoghue)
Date:	Fri, 5 Mar 93 9:28:46 GMT
To:	jxh @ ICD . Teradyne . COM (Jim Hickstein)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<9303040303 . AA22705 @ ICD . Teradyne . COM>; from "Jim Hickstein" at Mar 3, 93 7:03 pm

Jim Hickstein writes:

|My archie client seems to want me to let UDP packets to ports >1000
|through my router to/from my firewall.  Isn't this a Bad Idea?  Must I
|tell my users that they should telnet somewhere, instead?

We too faced a problem with archie (well xarchie) because it used the
UDP-based prospero protocol. Since we use a router to filter out all
UDP (well inbound any way), we couldn't talk prospero with the outside
world, ie xarchie died. As you'd expect, users weren't too happy. So
the solution I implemented was to ensure that xarchie was able to bind
to 901 for its prospero (basically I made it setuid and added a couple
of setreuids). The only UDP I now allow in thru the router is anything
which has a destination of 901 on our subnet. Does anyone see any
potential (or even glaringly obvious) problems with this?

Tx.
-- 
Tim F O'Donoghue <tim @
 canon .
 co .
 uk> <uunet!canon!tim>

References:

archie and UDP
From: jxh @ ICD . Teradyne . COM (Jim Hickstein)

Indexed By Date	Previous:	Re: archie and UDP From: Amos Shapira <amoss @ cs . huji . ac . il>
Indexed By Date	Next:	SecureID PIN (Was Re: Appletalk through firewalls.) From: "Jon S. Stumpf" <jss @ sysdev . dmg . ml . com>
Indexed By Thread	Previous:	Re: archie and UDP From: Amos Shapira <amoss @ cs . huji . ac . il>
Indexed By Thread	Next:	SecureID PIN (Was Re: Appletalk through firewalls.) From: "Jon S. Stumpf" <jss @ sysdev . dmg . ml . com>