On Mon, 4 Dec 2000, william.wells wrote:
> "FTP-ish"? There is actually valid reasons to use something like this.
> Various purchased applications that we have utilize servers which accept an
> initial IP/PORT. These "initial connection" servers validate the request and
> then assign it off to another process which may be executing on another
> system (load-balancing, for example). This "pass-off" requires opening
> another connection. That information is done via a PORT command similar to
> FTP. While this doesn't have concurrent command/data connections, it has a
> similar logic.
Funnily enough, Web-server load balancing solutions don't require a
multitude of ports. Once again, just because there's a semi-valid reason
someone uses a particular protocol doesn't make it the poster child for
hosing up a perfectly good firewall protection profile.
High explosives are a perfectly valid way to dig holes too, I doubt we'll
be seeing backhoe sales slump anytime soon though.
> I agree that the safest way to handle this is to configure the firewall to
> understand the PORT command and to open the port in that situation. Opening
> up a range of high-ports isn't the best way to go.
The enduring point is that if we all pass bad protocols, protocol
designers have zero impetus to create good ones.
The proof is in the tunnel everything over HTTP mess we're currently stuck
with.
HTTP being the canonical example of building a crappy single-port protocol
:)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
