[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
OK, Now I see what the firewall issues are with Cfengine in our environm
Scott Omar Burch
OK, Now I see what the firewall issues are with Cfengine in our environment
Thu, 24 Jun 2004 15:28:09 -0500
Mozilla Thunderbird 0.5 (X11/20040306)
Based on our firewall policy which generally is the following:
1) Return traffic from an application is allowed by a rule on a specific
port through a firewall to a machine on the other side of the firewall.
When an applications source port changes at random then that becomes a
serious problem for firewall policy...basically the only way to write a
rule for Cfengine is allow all ports to talk back to the policy server
sitting on the other side of the firewall.
When using simply snoop to analyze a session between the policy server
and a client the following is observed (the snoop session is on the client).
1) The client connects from a random source port to port 5308 on the
policy server (this is the problem).
2) The policy server responds from 5308 to the randomly chosen source
port (this is not a problem because we allow all traffic from inside
along the management interface.).
So to make Cfengine work we would need a firewall rule that allows all
ports on particular interface to pass through the firewall to the policy
server. Seems like it wouldn't be to hard to tell cfagent to use a
specific source port rather than randomly choosing a port number (but
I'm probably oversimplifying the situation). I don't believe this is
possible now, but if not any thoughts on changing that aspect of Cfengine?
- OK, Now I see what the firewall issues are with Cfengine in our environment,
Scott Omar Burch <=