[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cfengine] Re: OK, Now I see what the firewall issues are with Cfeng
Re: [cfengine] Re: OK, Now I see what the firewall issues are with Cfengine in our environment
Thu, 24 Jun 2004 17:01:57 -0400
* address@hidden <address@hidden> [040624 20:46]:
> On 24 Jun, Scott Omar Burch wrote:
> > 1) The client connects from a random source port to port 5308 on the
> > policy server (this is the problem).
> > 2) The policy server responds from 5308 to the randomly chosen source
> > port (this is not a problem because we allow all traffic from inside
> > along the management interface.).
> > So to make Cfengine work we would need a firewall rule that allows all
> > ports on particular interface to pass through the firewall to the policy
> > server.
> is there a reason why you can't just allow random tcp ports from a
> restricted address range into your firewall? CFservd also has its own
> firewall-like features to eliminate unwanted traffic.
> I don't know if it is possible to fix the sender port in a tcp
> connection. It seems to me that it is not the port number that
> matters here, but rather the IP source address of the caller.
The policy you are describing translates to firewall pseudo-code
(assuming a stateful firewall setup to allow return packets for
allow all on interface iface to policy-srvr
The way I would set up our firewall if I needed to do that would be:
allow all > 1024 on interface iface to policy-srvr port 5308
In this way it is entirely analogous to the rule that would allow
SMTP connections to/from a mail server:
allow all > 1024 to mailserver port 25 # incoming
allow all > 1024 from mailserver to port 25 # outgoing
The gist of it for the policy server is that instead of allowing
a specific port _from_ a machine, allow connections _to_ the specific
port on the firewall. It's only one hole either way.
Institute of Molecular Biophysics
Florida State University | email: address@hidden
Tallahassee, FL 32306-4380 | phone: (850) 644-0069