Firewall Wizards mailing list archives
Re: Port funnels?
From: davidg () genmagic com (David Gillett)
Date: Tue, 13 Apr 1999 15:22:20 -0800
On 12 Apr 99, at 12:42, Stout, Bill wrote:
I'm looking for a server utility that would funnel application ports onto one port number pair. Any exist? This would greatly simplify remote access to applications. I'm rather unclear on why application vendors do only define the inbound port, and then use random (or simply different) ports to reply. I may have missed that day of lecture.
Suppose that on host A, we want to open two connections to the same service on host B (perhaps these are telnet sessions for two different users, or perhaps our web browser uses multiple sessions to grab graphics, or ...). There's no gain in forcing these connections to use the same port at our end -- and how do we discriminate which responding traffic belongs to which session????[*] The service daemon (or whatever) on host B will find out, from our connection requests, what port numbers to send responses to. In general, having the protocol specify an originating port number (usually the same as the destination...) makes sense only when the protocol is connectionless (UDP...) AND no host is both a client and a server for this protocol. [A host which is only a client might choose to use the same address for both, but a server cannot require that unless the protocol meets this condition.] [*] This looks like we've got both sessions going to the same port number at host B, but typically it is only the connection request that goes to this port; a new port is allocated for the session, and its number is returned to the client for use throughout the rest of the connection. Going back to your original question, it sounds like you want to run a bunch of different protocols over top of some single protocol; this is commonly done with, for example, PPTP and (far too often!) HTTP.
From a firewall perspective, though, this is as much a *problem* as a
solution. Do you have a problem that this would solve? Maybe there's a better (or at least, more secure) solution.... David G
Current thread:
- Port funnels? Stout, Bill (Apr 13)
- Re: Port funnels? David Gillett (Apr 14)
- <Possible follow-ups>
- RE: Port funnels? Stout, Bill (Apr 15)
- RE: Port funnels? carson (Apr 15)
- RE: Port funnels? Technical Incursion Countermeasures (Apr 15)
- Tristrata (was RE: Port funnels?) Marcus J. Ranum (Apr 15)
- Re: Tristrata (was RE: Port funnels?) -reply mht (Apr 15)
- Tristrata (was RE: Port funnels?) Marcus J. Ranum (Apr 15)