help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cfengine] Re: OK, Now I see what the firewall issues are with Cfeng


From: zawrotny
Subject: Re: [cfengine] Re: OK, Now I see what the firewall issues are with Cfengine in our environment
Date: Thu, 24 Jun 2004 17:01:57 -0400
User-agent: Mutt/1.5.6+20040523i

Scott,

* address@hidden <address@hidden> [040624 20:46]:
> On 24 Jun, Scott Omar Burch wrote:
> > 1) The client connects from a random source port to port 5308 on the 
> > policy server (this is the problem).
> > 2) The policy server responds from 5308 to the randomly chosen source 
> > port (this is not a problem because we allow all traffic from inside 
> > along the management interface.).
> > 
> > So to make Cfengine work we would need a firewall rule that allows all 
> > ports on particular interface to pass through the firewall to the policy 
> > server. 
> 
> is there a reason why you can't just allow random tcp ports from a 
> restricted address range into your firewall? CFservd also has its own
> firewall-like features to eliminate unwanted traffic.
> 
> I don't know if it is possible to fix the sender port in a tcp 
> connection. It seems to me that it is not the port number that
> matters here, but rather the IP source address of the caller.

The policy you are describing translates to firewall pseudo-code
(assuming a stateful firewall setup to allow return packets for
authorized connections):

    allow all on interface iface to policy-srvr

The way I would set up our firewall if I needed to do that would be:

    allow all > 1024 on interface iface to policy-srvr port 5308

In this way it is entirely analogous to the rule that would allow
SMTP connections to/from a mail server:

    allow all > 1024 to mailserver port 25  # incoming
    allow all > 1024 from mailserver to port 25 # outgoing

The gist of it for the policy server is that instead of allowing
a specific port _from_ a machine, allow connections _to_ the specific
port on the firewall.  It's only one hole either way.


Mike

-- 
Michael Zawrotny
Institute of Molecular Biophysics
Florida State University                | email:  address@hidden
Tallahassee, FL 32306-4380              | phone:  (850) 644-0069




reply via email to

[Prev in Thread] Current Thread [Next in Thread]