|
|
On Mon, Jan 26, 2004 at 17:12 -0000, James Yonan wrote:
> Stefan `Sec` Zehl <sec+ovpn@xxxxxx> said:
>
> > OpenVPN-client connects server on Well Known port (e.g. 5000).
> > A 'broker'-type daemon listens on 5000 and forks off a new OpenVPN server
> > , whichlistens on a new (unused,random-numbered) udp socket (e.g.
> > 42192) and replies to client to use that port instead.
> >
> > All further communication with this single client goes via that port
> > now, and the broker daemon can still listen on port 5000.
>
> The problem with this is that the port change semantics will surprise the
> firewall, and therefore require static rules to allow the range of UDP ports
> on the server side to be used as dynamic ports.
Are you sure?
Maybe I was unclear in the description. Of course the broker daemon
needs to send the answer-packet containing the new port number.
Then, from the perspective of the firewall, it looks like two different,
normal UDP connections, which are initiated by the OpenVPN client.
(granted: the first one is a bit short :-)
Some care must be taken with the implementation so that the server isn't
easily DoSable, but other than that, I don't see a problem.
CU,
Sec
--
For the other problem, the one involving fumbling fingers driven by fading
grey cells, I recommend deep hypnosis and a cold shower. -- Wietse
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|