From owner-freebsd-stable Fri Feb 28 6:42:36 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACF3F37B401 for ; Fri, 28 Feb 2003 06:42:34 -0800 (PST) Received: from hugo10.ka.punkt.de (kagate.punkt.de [217.29.33.131]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C0F043FB1 for ; Fri, 28 Feb 2003 06:42:33 -0800 (PST) (envelope-from hausen@punkt.de) Received: from hugo10.ka.punkt.de (localhost [127.0.0.1]) by hugo10.ka.punkt.de (8.12.3/8.12.3) with ESMTP id h1SEg0XR042492; Fri, 28 Feb 2003 15:42:01 +0100 (CET) (envelope-from ry93@hugo10.ka.punkt.de) Received: (from ry93@localhost) by hugo10.ka.punkt.de (8.12.3/8.12.3/Submit) id h1SEg0RV042490; Fri, 28 Feb 2003 15:42:00 +0100 (CET) From: "Patrick M. Hausen" Message-Id: <200302281442.h1SEg0RV042490@hugo10.ka.punkt.de> Subject: Re: problems with getting through firewall using CVSup In-Reply-To: <20030228143100.GC424@freebsd.org.ru> To: osa@freebsd.org.ru Date: Fri, 28 Feb 2003 15:42:00 +0100 (CET) Cc: Igor Pokrovsky , stable@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL92 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! Sergey Osokin wrote: > > Is there any way to make it work? > > To fool firewall? > > Yes, looks like a bad/fool/stupid firewall administriva. No. This looks exactly like the correct way to implement a firewall. Everything which is not on the "explicitly permitted" list is denied by default. So users tring new and "interesting" protocols and services have to check if what they are trying to do is in accordance with the security policy first. I know, there are lots of companies that permit any inside initiated TCP connection. I'd call this stupid if not explicitly decided upon and documented. And last - maybe they are running a strict application level gateway like Gauntlet or Sidewinder? If this is the case the admin must define a custom TCP proxy for CVSup, first. Regards, Patrick M. Hausen Technical Director -- punkt.de GmbH Internet - Dienstleistungen - Beratung Scheffelstr. 17 a Tel. 0721 9109 -0 Fax: -100 76135 Karlsruhe http://punkt.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message