On 23-May-2002 at 00:27:11 Jay D. Dyson wrote: >> My problem is that given that a site has a firewall blocking specific >> non-privileged ports (e.g. 2222) against all IP traffic (both as a source >> port or a destination port), if a genuine site tries to e-mail them a >> message and the sending host selects that port (2222) then the mail >> message will not be sent. > > I can understand blocking the destination port, but the source > port? Seems futile (and a bit silly) to me. Why the devil would the > firewall admin configure things that way? Stateful firewalls can handle > such things quite gracefully. > Thanks for the reply. Could you explain a bit further your last statement - in what way would a stateful firewall be better?
Second scenario I am thinking of is when someone does a DNS query, and the name server selects a non-privileged port for the outgoing request to a root or master name server. Okay this is udp and in itself not totally reliable, but if the reply comes in to our port 53 from a blocked high number port then, in effect, we will receive no reply. Our name server may well answer to the client with the 'no servers available' (or some such) error. Okay name servers work, I gather, by trying several name servers not just each one in turn listed in /etc/resolv.conf (or am I wrong; I'll have to check this), but even so it is possible that every reply could be blocked, is it not? John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] PGP key available from public key servers
