Fuzzy Fox wrote:
>
> Michael Kohne <[EMAIL PROTECTED]> wrote:
> >
> > 1) ipautofw - This seems to add a range of ports to the
> > masqerading list in the kernel whenever a packet is received on a
> > specific port. This is a kernel patch. Some people on the list
> > have complained of trouble with it, others have no problems.
>
> Ipautofw is an interesting beast. It can be run in one of several
> modes:
>
> a. <snip>
>
> b. It can be set up to forward a port or range of ports
> unconditionally, to a machine behind the firewall. This seems
> to be a more popular mode than the previous, since it's easier
> for people to set up.
>
> The problems that most people have, occur when they use that second
> mode. When running in this mode, ipautofw forwards all packets that
> appear on that port, or range of ports, regardless of the reason they
> are arriving. This can conflict with legitimate use of the machine,
> because a network connection originating on the firewall might attempt
> to make use of one of those ports as its "source" port, but when a
> remote machine tries to reply, the reply gets forwarded to the machine
> behind the firewall, so the connection times out. Since source ports
> are chosen in ascending order, the larger the range forwarded, the
> sooner this condition will happen, and the longer it will last.
>
> For this reason, ipautofw is considered to be deprecated, and ipportfw
> is considered the more useful solution.
Thank you for your assistance; this is good information. Before I saw
it, I figured out how to use ipautofw and set it up. It seems to be
running fine at the moment.
In my situation, the single port number I'm using was assigned by the
IANA to the vendor of the server app I'm running; they claim it's
"unlikely" to cause a conflict.
Under what circumstances (what kinds of apps?) will an application on
the server "choose" a port number in this way? Are they chosen from
65536 possibilities, or only a subset? If the latter, how is the subset
defined?
What happens when it times out? Will it choose another or try again with
the same one?
Basically, what I want to know is: can I live with this or would that be
a really dumb idea?
Kent
--
-----------------------------------------------------------------------
Kent Quirk | CogniToy: Intelligent toys...
Game Designer | for intelligent minds.
[EMAIL PROTECTED] | http://www.cognitoy.com/
_____________________________|_________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
