Firewall Wizards mailing list archives
RE: Port funnels?
From: "Stout, Bill" <StoutB () pioneer-standard com>
Date: Wed, 14 Apr 1999 21:35:57 -0400
Thanks for the direct replies. I should've mentioned inetd and portmapper on my original post. I may have my moments, but alzheimers is many decades off yet. In one situation I have an ERP application (JDEdwards) which has a heavy Windows client app. I'd like to use simple port filtering on a semi-private net to limit ports accessed on the server. I've also looked at adding TriStrata (startup of John Atalla) software, which builds application-level security software (VPN, user management, auditing, logging, group management delegation, etc). However the TriStrata software only secures direct application access, and nothing else. So, if there were an application-level 'funnel', which intercepts internal calls to specific ports, listens to incoming traffic from inetd, and funnels that to one port pair (all the while keeping track of proper sessions), now that would be useful. Essentially this would be a built-in application gateway doing port-level NAT through software. Much easier to filter all these non-firewall friendly applications. Sounds odd, but my Packet Throtting post did too. Bill Stout _____ 'Backofficer friendly' alternate names: 'Butt Armour', 'Steel Shorts', 'Chastity belt', 'Rear guard', and 'The Plug'. ;^) -----Original Message----- From: davidg () genmagic com [SMTP:davidg () genmagic com] Sent: Tuesday, April 13, 1999 4:22 PM To: Stout, Bill; firewall-wizards () nfr net Subject: Re: Port funnels? On 12 Apr 99, at 12:42, Stout, Bill wrote: > I'm looking for a server utility that would funnel application ports > onto one port number pair. Any exist? This would greatly simplify > remote access to applications. > > I'm rather unclear on why application vendors do only define the > inbound port, and then use random (or simply different) ports to > reply. I may have missed that day of lecture. Suppose that on host A, we want to open two connections to the same service on host B (perhaps these are telnet sessions for two different users, or perhaps our web browser uses multiple sessions to grab graphics, or ...). There's no gain in forcing these connections to use the same port at our end -- and how do we discriminate which responding traffic belongs to which session????[*] The service daemon (or whatever) on host B will find out, from our connection requests, what port numbers to send responses to. In general, having the protocol specify an originating port number (usually the same as the destination...) makes sense only when the protocol is connectionless (UDP...) AND no host is both a client and a server for this protocol. [A host which is only a client might choose to use the same address for both, but a server cannot require that unless the protocol meets this condition.] [*] This looks like we've got both sessions going to the same port number at host B, but typically it is only the connection request that goes to this port; a new port is allocated for the session, and its number is returned to the client for use throughout the rest of the connection. Going back to your original question, it sounds like you want to run a bunch of different protocols over top of some single protocol; this is commonly done with, for example, PPTP and (far too often!) HTTP. From a firewall perspective, though, this is as much a *problem* as a solution. Do you have a problem that this would solve? Maybe there's a better (or at least, more secure) solution.... David G
Current thread:
- Port funnels? Stout, Bill (Apr 13)
- Re: Port funnels? David Gillett (Apr 14)
- <Possible follow-ups>
- RE: Port funnels? Stout, Bill (Apr 15)
- RE: Port funnels? carson (Apr 15)
- RE: Port funnels? Technical Incursion Countermeasures (Apr 15)
- Tristrata (was RE: Port funnels?) Marcus J. Ranum (Apr 15)
- Re: Tristrata (was RE: Port funnels?) -reply mht (Apr 15)
- Tristrata (was RE: Port funnels?) Marcus J. Ranum (Apr 15)