Brent writes -
> >I can see obvious needs for various UDP services across/through a
> >firewall, such as 53/UDP.
> Yes, you need to allow 53/UDP across the firewall, for DNS. Other
> UDP-based services that you might want to allow are NTP (not much worse a
> problem than DNS, and dealt with in much the same way; see below) and maybe
> Archie (big problem, see below).
> The main reason most well-constructed firewalls block UDP is because that's
> the only effective way to block access to RPC-based services like NFS and
> NIS/YP (which are RPC-over-UDP-based, but live on unpredictable UDP port
My point is that a statement, such as what Padgett mentioned, that
there needs to be 'justification' for permitting UDP services through
a firewall needs further clarification. Each organization should
scrutinize their unique needs for _all_ services, including TCP.
US Sprint tel: 703.689.6828
Managed Network Engineering internet: paul @
Reston, Virginia USA http://www.sprintmrn.com
From: Brent @
COM (Brent Chapman)