As far as security goes, I think you're over-stating the problem. (Yes, I will take the stand that I do know my hind-end from a hole in the wall on this topic, although I'm not an industry expert.)
You can't be part of a loop if nobody can connect to these daemons on your servers.
You can prevent local users from creating loops between pairs of outside servers by filtering all outbound packets with spoofed source IPs.
This is clearly client traffic to these daemons on outside servers from valid, unprivleged local ports on your servers. It's harmless, get over it and restructure your rules.
At 03:03 PM 10/21/2002 -0500, [EMAIL PROTECTED] wrote:
This is a bad choice for a port IMHO. Frankly every firewall I set up (and have seen up close) blocks tcp/udp 1-19. Those services have no purpose on the Internet at large IMHO. They are plagued with security issues and under-maintained source projects.I wonder if Razor will fail if tcp/7 is blocked. The box I'm testing SA on (with Razor) isn't yet behind a firewall. Justin On Mon, 21 Oct 2002, Matt Kettler wrote: > Quote from razor-users: > -------------- > razor-agents use TCP port 7 (TCP echo) to determine what servers are > closest to it. > > cheers, > vipul. > ---------------- > > Razor2 also generates outbound TCP traffic to port 2703 on the razor > servers. Razor 1 uses 2702 if I recall correctly. > > At 02:06 PM 10/21/2002 -0400, [EMAIL PROTECTED] wrote: > >I am getting hits on my firewall showing outbound packets with destination > >port 7. Is it possible that Razor is doing this? If so, is it at all > >documented just what ports are required to be left open in order to > >successfully run SA/Razor? > > > >Here are (some of) my hits: <snip>
-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576298;k?http://www.sun.com/javavote
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
