Michael,
In message <199608220731 .
AAA16958 @
miles .
greatcircle .
com>you write:
> Has anyone done anything for a firewall that can take UDP packets, stuff
> them into TCP packets addressed to a specific UDP relay socket address
> and then unstuff them at the other end?
>
> Or is this idea no better than simply opening up a range of UDP ports and
> just filtering out IP addresses that you don't want to let through?
tunneling stuff is often at least as bad as passing it directly, as
the filter will only see the tunnel endpoints (not real source/dest)
and has (usually) no way to figure out just what is being tunnelled
(can you say MBONE?)
On the other hand, it may be the only option if you eg. have to pass
IPX traffic through an IP only firewall. Allowing IPX through a
firewall is usually a bad idea (no firewall I know of can do anything
reasonable with IPX) ... but there are times where you just need the
connectivity and can accept the risks involved.
\Bernhard.
|
|
