begin quoting Christian Seberino as of Fri, Jan 27, 2006 at 08:55:48AM -0800: > We've got a NAT'ing firewall that works fine except when > a client behind the firewall (192.168.x.y address) > tries to access a Microsoft server on the Internet. > > It appears that M$ servers need to initiate *new* additional TCP > connections back to client on certain ports.
What service are you trying to run? The term "server" doesn't specificy. > Anyone know about this or how to securely allow firewall to handle it? Replace the M$ servers? > What ports need to opened? If you're serious, I'd suggest partitioning off the server(s) in question into their own protection domain, and the rest of your network should assume that these machines are compromised. Then nmap the local servers to find out on which ports they are listening, associate those with the services that you want to be running, and open up the ports through the firewall as appropriate for your security policy. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
