squeezetux wrote: > Right, so are you saying that a rule like: > > RULE TYPE SOURCE PORT ; DESTINATION > PORT > PASS TCP/UDP 192.168.X.XX ALL ; 192.168.Y.YY > 9000, 3483 > > Basically, any port from the client can contact the destination port on > LMS. But doesn't this expose the server if someone maliciously hack my > piCorePlayer client and attempt to run other programs? Surely by > resticting the source port you tie it down more? I guess if the source > port is changing all the time, then you could use an interval for the > source port (if its running on intervals I guess ...)? BUt maybe the > whole point is to ensure that the clients are secure too by changing > default passwords, etc.
Client application call servers on specific ports (e.g. 80 for web) . When client open a source ports to connect to a desintation the OS decides the source port number. The source port is not usually chosen by the application ( see https://superuser.com/questions/1118735/how-are-source-ports-determined-and-how-can-i-force-it-to-use-a-specific-port). Security should be based on the source IP address and not the port number of the source. Even if you only allow a specific source port number - it would not prevent a malicious application from using the part number and so it is not secure. LMS was not designed to be securely accessed from outside the local LAN. All devices on local LAN are assumed to be trusted. If you want an outside device to access LMS - use a VPN. ------------------------------------------------------------------------ bpa's Profile: http://forums.slimdevices.com/member.php?userid=1806 View this thread: http://forums.slimdevices.com/showthread.php?t=109260 _______________________________________________ Squeezecenter mailing list [email protected] http://lists.slimdevices.com/mailman/listinfo/squeezecenter
