I'm trying to poke a hole through a firewall to allow Turnpike to be
used. Ethereal shows TCP port 7753 as the destination for the
authentication but the source port changes every time I ask Turnpike to
connect.
--
Clint
AFAIK
POP3 includes authentication on the port 110 conversation.
NNTP for Demon is authenticated based on your IP address, and I assme
all to destination port 119.
> I'm trying to poke a hole through a firewall to allow Turnpike to be
> used. Ethereal shows TCP port 7753 as the destination for the
> authentication but the source port changes every time I ask Turnpike to
> connect.
No idea what port 7753 is, but I'm not reading this in the Turnpike
group. Where is it trying to contact?
Using a "random" source port (above 1023) is normal IP behaviour. Only
weird things like old BIND servers, and Unix print servers use the same
source port as destination port.
I could also ditch Turnpike and use one of the other (non-MS) news/mail
readers, it's just another little quirk that makes my life more
difficult than it should be.
--
Clint
>Kind of makes it awkward to lock down outgoing traffic if it uses a
>different port every time.
http://www.google.co.uk/groups?selm=8zGMaiBbYlb2EAcE%40turnpike.com
suggests that you may need to enable ports 7750, 7753 and 7758.
--
Paul Terry
Your not paranoid, at least not in this regard.
Many people regard the "right" way to firewall a network is to inspect
the packets, or proxy the connection, to ensure that port 80 traffic
really is HTTP, and not just someone taking advantage of the hole in the
firewall to tunnel secrets out, or nasties in.
Similarly you can get personal firewall software for MS Windows that
will only allow 'approved' software to make specific outgoing
connections e.g.;
Outlook allowed to send to port 25 at "post" and port 110 at "pop3".
Internet Explorer allowed to send to port 80 anywhere.
Whether such an approach will survive the development, and integration
of desktop software is unclear.
I don't have hands on experience with these types of personal firewall
products, but the idea makes a lot of sense if you are concerned about
the consequences of malware infestation, and not just avoiding it in the
first place. My concern is the average user probably wouldn't know when
to say "No" to the helpful pop-up messages, and there may be better ways
of securing computers.
>Outlook allowed to send to port 25 at "post" and port 110 at "pop3".
>Internet Explorer allowed to send to port 80 anywhere.
>
>Whether such an approach will survive the development, and integration
>of desktop software is unclear.
One of the reasons for wanting something away from the desktop
environment. Smoothwall or IP cop look promising as well, but my space
is limited, I might have to move into the loft!
>
>I don't have hands on experience with these types of personal firewall
>products, but the idea makes a lot of sense if you are concerned about
>the consequences of malware infestation, and not just avoiding it in the
>first place.
Well, locking down outgoing ports to the standard mail/news/web stuff
should stop most of it, I'd like to think that my AV stuff would catch
any 'nasties' and I regularly scan for adware.
> My concern is the average user probably wouldn't know when
>to say "No" to the helpful pop-up messages, and there may be better ways
>of securing computers.
I know when to say no, but it's all too easy to click the wrong button.
Thanks to all who replied, I've achieved what I wanted, I now have a
completely 'stealthed' net connection with all the important stuff
running. Quite interesting to monitor the connection (using Kiwi Syslog
Daemon) and see what traffic hits the firewall.
TP appears to work with just port 7753 and 7758 allowed to make outgoing
connections to a strictly limited range of IP addresses.
--
Clint