Frode Hauge <[EMAIL PROTECTED]> wrote:
>
> I'm at a loss here.. Could somebody bother explaining to me exactly
> what is so bad about ipautofw?
I think the problem is that it gets misused so frequently. Many people
have it forwarding an entire range of ports (like 4000-5000) because
some protocol makes use of ports in that range. What they don't
realize, though, is that ports are used for outgoing connections, just
as well as incoming connections.
The source port is chosen sequentially, starting from some small number,
say, 1000 or so (just guessing). Then, as more and more connections are
opened and closed, the source port number will move steadily toward that
range that autofw is using, and when it hits 4000 (in the above
example), connections will stop working, because ipautofw will forward
them to another box instead of letting the return packets reach the
originator on the masq box. This continues until either someone
complains, or the originating port is chosen to be a number above 5000,
at which point things "just start working" again.
This could be seen to be a defect in ipautofw, where the kernel should
"know" not to use those ports for outgoing connections, but that's where
the "lack of maintenance" of ipautofw comes into play...
So, if you use ipautofw as it was intended, to only forward a couple of
ports, rather than a wide range, you will probably not notice much of a
problem.
While we're on the subject, how does one configure ipportfw to forward
all of its packets to "the last machine to send out a request," which is
what ipautofw is all about? Everybody keeps touting ipportfw as this
wonderful thing, and yet, I don't see how to do this thing.
Suppose I have three boxes behind the firewall, and I want X traffic
(on port 6000) to get forwarded to whoever happens to telnet out to a
machine on the open net? Ipautofw does this beautifully. Why can't
ipportfw do this? If it could, then ipautofw could just go away.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Her lips said 'No,' but her
sometimes known as David DeSimone || eyes said 'Read my lips!'"
http://www.dallas.net/~fox/ ||
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
