On Sat, May 24, 2008 at 10:02:31AM -0700, Russ Allbery wrote: > Could you provide more information about where you're seeing this problem? > Stanford University is using, in production, the following firewall rules:
The log shows the following: | May 25 10:36:35 kdc1 kadmind[1385]: chpw: Couldn't connect to client: No such process And holds several extra sockets open: | # netstat -ulpen | Active Internet connections (only servers) | Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name | udp 0 0 0.0.0.0:32772 0.0.0.0:* 0 3832 1385/kadmind | udp 0 0 0.0.0.0:32773 0.0.0.0:* 0 3833 1385/kadmind | udp 0 0 0.0.0.0:32774 0.0.0.0:* 0 3835 1385/kadmind | udp 0 0 0.0.0.0:32775 0.0.0.0:* 0 3836 1385/kadmind | udp 0 0 0.0.0.0:464 0.0.0.0:* 0 3719 1385/kadmind | udp 0 0 10.42.1.65:88 0.0.0.0:* 0 2941 1125/krb5kdc | udp6 0 0 fe80::216:3eff:fe4e::88 :::* 0 2943 1125/krb5kdc It seems that it uses the new sockets to do something special which is not allowed by my config. But it seems to not send data over it. Bastian -- First study the enemy. Seek weakness. -- Romulan Commander, "Balance of Terror", stardate 1709.2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]