Re: OK, Now I see what the firewall issues are with Cfengine in our envi

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OK, Now I see what the firewall issues are with Cfengine in our envi

From:	Mark . Burgess
Subject:	Re: OK, Now I see what the firewall issues are with Cfengine in our environment
Date:	Thu, 24 Jun 2004 22:40:12 +0200 (MEST)


On 24 Jun, Scott Omar Burch wrote:
> OK,
> 
> Based on our firewall policy which generally is the following:
> 
> 1) Return traffic from an application is allowed by a rule on a specific 
> port through a firewall to a machine on the other side of the firewall. 
> When an applications source port changes at random then that becomes a 
> serious problem for firewall policy...basically the only way to write a 
> rule for Cfengine is allow all ports to talk back to the policy server 
> sitting on the other side of the firewall.
> 
> When using simply snoop to analyze a session between the policy server 
> and a client the following is observed (the snoop session is on the client).
> 
> 1) The client connects from a random source port to port 5308 on the 
> policy server (this is the problem).
> 2) The policy server responds from 5308 to the randomly chosen source 
> port (this is not a problem because we allow all traffic from inside 
> along the management interface.).
> 
> So to make Cfengine work we would need a firewall rule that allows all 
> ports on particular interface to pass through the firewall to the policy 
> server. Seems like it wouldn't be to hard to tell cfagent to use a 
> specific source port rather than randomly choosing a port number (but 
> I'm probably oversimplifying the situation). I don't believe this is 
> possible now, but if not any thoughts on changing that aspect of Cfengine?


Scott, 

is there a reason why you can't just allow random tcp ports from a 
restricted address range into your firewall? CFservd also has its own
firewall-like features to eliminate unwanted traffic.

I don't know if it is possible to fix the sender port in a tcp 
connection. It seems to me that it is not the port number that
matters here, but rather the IP source address of the caller.

Mark

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Prev in Thread]

Current Thread

[Next in Thread]

OK, Now I see what the firewall issues are with Cfengine in our environment, Scott Omar Burch, 2004/06/24
- Re: OK, Now I see what the firewall issues are with Cfengine in our environment, Mark . Burgess <=
  - Re: [cfengine] Re: OK, Now I see what the firewall issues are with Cfengine in our environment, zawrotny, 2004/06/24
  - Re: OK, Now I see what the firewall issues are with Cfengine in our environment, Jamie Wilkinson, 2004/06/24
- Re: OK, Now I see what the firewall issues are with Cfengine in our environment, Tim Nelson, 2004/06/24
- RE: OK, Now I see what the firewall issues are with Cfengine in our environment, Bill.Hall, 2004/06/24

Prev by Date: Friendstatus and peer to peer monitoring
Next by Date: Re: Friendstatus and peer to peer monitoring
Previous by thread: OK, Now I see what the firewall issues are with Cfengine in our environment
Next by thread: Re: [cfengine] Re: OK, Now I see what the firewall issues are with Cfengine in our environment
Index(es):
- Date
- Thread