[Courses] [Security] Firewall theory -- UDP
Raven, corporate courtesan
raven at oneeyedcrow.net
Fri Mar 15 14:33:40 EST 2002
Heya --
Quoth hobbit at aloss.ukuu.org.uk (Wed, Mar 13, 2002 at 08:04:47PM +0000):
> Our firewall drops UDP. All of it. There is some complicated thing
> to do with letting DNS queries work. It can be done, but I'd have
> to go and investigate to find out how. For all I know, it was
> "ask person who runs nameserver to do TCP too".
Heh. I'd actually love to know how that works. I can't think
of any way to get it done without either controlling and custom-hacking
your external nameserver, or accepting some UDP.
[runs off and asks her local nameserver expert to see if she can
think of any other way it could be done]
Is it allowing replies to particular UDP queries, but nothing
else? If not, I am well and truly stumped. (And therefore, intrigued.
[grin])
> Other things dropping UDP gives (or loses) you:
> * Need to use something called "passive mode" in ftp.
That's probably more not wanting to allow the high-numbered
ports from the server connecting inwards, as explained in the FTP
firewalling mail.
> * /dcc doesn't work in IRC.
> * Lots of the IM clients don't work.
> * Networked quake won't work (there's a complicated HOWTO
> about this).
> * Can't use ntp (network time protocol) to get precise time
> from other machines.
That's all UDP. I really wish someone would code a good secure
replacement for NTP. [puts it on her to-do list for when she's a good
programmer]
> I manage quite happily with all this, but none of these were things
> I used, except ftp. And most intelligent ftp clients understand
> passive mode anyway.
Yeah, even the HTML development ones do. The only one I can
think off of the top of my head that doesn't is Solaris's command-line
FTP.
Cheers,
Raven
"Sed, sed, awk. Like duck, duck, goose. Sync, sync, halt. It's the
order of nature."
-- me, after too long a day at work
More information about the Courses
mailing list