Kent Quirk <[EMAIL PROTECTED]> wrote:
>
> > [..... ipautofw .....]
>
> Thank you for your assistance; this is good information. Before I saw
> it, I figured out how to use ipautofw and set it up. It seems to be
> running fine at the moment.
If you're only forwarding one port, you might never see a problem. :)
> In my situation, the single port number I'm using was assigned by the
> IANA to the vendor of the server app I'm running; they claim it's
> "unlikely" to cause a conflict.
Well, the conflict issue has to do with "source ports", not "destination
ports", which is what your application uses.
> Under what circumstances (what kinds of apps?) will an application on
> the server "choose" a port number in this way? Are they chosen from
> 65536 possibilities, or only a subset? If the latter, how is the
> subset defined?
Well, this is one of those things I'd like to know better. What I do
know is that any TCP connection must originate from a "source" port, and
point to a "destination" port, which is the port usually defined for a
service. The source port is generally a random number between 1024 and
(I'm guessing) about 40000, something like that.
The source port isn't really chosen at random; every network connection
that's started uses a port one greater than the previous one did. Of
course, if a daemon is listening for connections on a particular port,
that port will be skipped, because it's already in use.
The problem with ipautofw, is that there isn't really anyone "listening"
on that port that it will forward. The port will merely be passed
along, forwarded to the machine behind the firewall. Ipautofw isn't
smart enough to tell the kernel not to use that port for a "source"
port, so if the kernel happens to try it, the resulting connection will
fail, because the kernel will assume that packets can be received on
that source port, but they'll instead get forwarded to a machine that
has no idea what to do with them.
> What happens when it times out? Will it choose another or try again with
> the same one?
The program attempting the connection will simply time out. It is up to
that application to decide what to do next. Maybe it's sendmail trying
to route some mail. If so, it'll try again later. Maybe it's someone
trying to telnet out, and they'll just have to try again. Maybe the DNS
server is trying to get a response from another server. It's hard to
say.
The main thing is that "ipautofw" doesn't have the smarts to keep the
kernel from using the forwarded port, whereas "ipportfw" does. If
you're only forwarding a single port, use ipportfw. It's just as easy
to set up.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
