-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain; charset=us-ascii


> This is a typical problem with all kind of client/server applications!
> You have to allow tcp-high ports on your firewall!


Thus, letting in the dragons....

Actually, the RIGHT thing to do is:

        1. Write protocols which don't behave this way or
        
        2. Write a proxy or filter which monitors the data stream and opens / closes 
additional ports as necessary.


This is "ftp-ish".  The ftp control-port data-port lashup is an obsolete hack 
that all who firewall (coders, testers and administrators) are STILL living 
with.  Why anyone would spec a protocol like this these days is beyond me.



AL
- -- 
+--------------------------------------------------------------------+
| Al Potter                           Manager, Network Security Labs |
| apotter at-yay icsa ot-day net                           ICSA Labs |
| (If the spambots learn piglatin...)                                |
| PGP Key: 0x58C95451                            http://www.icsa.net |
| PGP Fingerprint:  D3 1D BE 8C B5 DD 12 61  5A 4A 65 32 93 E5 D9 36 |
+--------------------------------------------------------------------+




> 
> Kind regards,
> 
> Samir Fahim
> ISE
> 
> At 18:59 3/12/2000 -0000, Murugavel Balasubramaniam wrote:
> >Hi
> >
> >I've a corba application, the server inside my companiy's internal network
> and the client in one the agents' machine with Checkpoint FW-1 in
> between.The client initiates a connection with the server to a fixed port
> (14000), but then it talks to the client in different random ports.
> Everything is working fine if I open all ports thru the firewall. I'm not
> able to restrict the application to use only predetermined ports. I checked
> all available documentations, manuals etc. 
> >Can this be solved by some settings or special rules in my fireall? (maybe
> using the 'stateful' thing in FW-1??) Or is this to be handled only thru
> the application? 
> >
> >Thanks
> >Samuel
> >
> >_____________________________________________________
> >Chat with your friends as soon as they come online. Get Rediff Bol at
> >http://bol.rediff.com
> >
> >Participate in crazy auctions at http://auctions.rediff.com/auctions/
> >
> >
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.2 06/23/2000

iQCVAwUBOivg+9uN3h5YyVRRAQIqFgP/ciIZh6EfJ2bK2ay9+kjGrF2jLzyOt5YH
5istMWVjo4j2gtD+aootAbOWuLKgXS4/CcDmBXVnGm9O3j/4mkhJPkM5OXSaZnTF
XEXtZSr/Qz5pDZuPzKDCvO4Do7w4yMfOAWRGd69rvMGKYbKwMEzmVwov6/oPCSd8
lxLzvKdEoRg=
=93k/
-----END PGP SIGNATURE-----

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to