Firewall rules

Vernon Schryver vjs@calcite.rhyolite.com
Thu Sep 16 13:07:11 UTC 2004


> From: "Alan Munday" 

> > through: "Allow 
> > udp FROM port <whatever) on the client to port <whatever> on the 
> > server." Leave it up to the user to figure out how to do it 
> > with their 
> > specific firewall, or ask help from someone who understands it. That 
> > probably frees you from the entire liability concern in the 1st place.
>
> I agree with this approach as I see people referring to their firewalls
> which upon examination turn out to be anything from routers with a few
> firewall capabilities (control over one direction of traffic), to routers
> with simple firewall implementations (bi-directional control, but limited
> function) to dedicated firewall products (which also vary greatly in
> function). Another consideration being that across these product ranges the
> implementation logic can be quite different, which makes the task of
> describing how to implement more difficult. Lastly different organisations
> do have different approaches as to how they wish there firewalls to be
> set-up which you would not be able to second guess.

I cannot follow that approach.  I could be wrong, but I doubt I
need to worry about "liability concerns" for publishing
http://www.rhyolite.com/anti-spam/dcc/firewall.html
I do not intend to get into the security consultant business or the
security consultant advertising, referral, or recommending businesses.
Going into any of those business could expose me to real "liability
concerns."

I know that telling people "do whatever you do for DNS except for port
6277 instead of 53" simply does not work in a large minority and perhaps
a majority of installations of DCC servers or DCC clients.  I also
tried describing the DCC traffic and expecting people to figure out
what they need to do, but found that simply does not work most people.
That set of Cisco rules seems to have helped even for many sites that
have no Cisco equipment.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.