|
|
Peter Leinen wrote:
> On Sunday 03 June 2007 22:06, Klaus Thielking-Riechert wrote:
>
> One more question: Which ports are used on the client side? I always see port
> numbers above 60000, like 61300 which are also changing with a connection
> request.
>
If the --port and --lport options are not used in the client
configuration, or if --nobind is specified, the client will allocate a
dynamically chosen high-range port number as the source port for the
packets, and this port will be re-allocated for each connection
attempt. This is now most client-server applications operate since the
client doesn't usually need to be communicating from a specific source
port. When a packet is sent out through a stateful firewall, the
firewall keeps track of which outbound connections have seen replies
from the server on the same IP/ports used and will normally let replies
through as long as the connection is still active. What exactly
"active" means will vary between various firewall devices, but normally
using OpenVPN's --ping option (or the --keepalive helper directive) will
keep a firewall rule open.
--
Josh
Attachment:
signature.asc
Description: OpenPGP digital signature
|