Brent writes -
> >
> >I can see obvious needs for various UDP services across/through a
> >firewall, such as 53/UDP.
>
>
> Yes, you need to allow 53/UDP across the firewall, for DNS. Other
> UDP-based services that you might want to allow are NTP (not much worse a
> problem than DNS, and dealt with in much the same way; see below) and maybe
> Archie (big problem, see below).
>
> The main reason most well-constructed firewalls block UDP is because that's
> the only effective way to block access to RPC-based services like NFS and
> NIS/YP (which are RPC-over-UDP-based, but live on unpredictable UDP port
> numbers).
>
My point is that a statement, such as what Padgett mentioned, that
there needs to be 'justification' for permitting UDP services through
a firewall needs further clarification. Each organization should
scrutinize their unique needs for _all_ services, including TCP.
Cheers,
- paul
_______________________________________________________________________________
Paul Ferguson
US Sprint tel: 703.689.6828
Managed Network Engineering internet: paul @
hawk .
sprintmrn .
com
Reston, Virginia USA http://www.sprintmrn.com
References:
-
Re: UDP
From: Brent @
GreatCircle .
COM (Brent Chapman)
|
|
