Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
Come and join our gamer community by
registering for free here
Anything & Everything
Off Topic Chat
Router Question
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Guest" data-source="post: 130593"><p>The mere concept of comparing brain pans with you would be insulting to anyone who possess intelligence greater than that of a trained monkey. However, I'll gladly accept. Let's talk routers, shall we? How about TCP/UDP, stateful firewall inspection and application layer intelligence, and how it all can be discussed in the same topic. Now, I'll start, and I want YOU to add something intelligent to the conversation. Sound good? mmmkay.</p><p></p><p>The sequential port designation of the source port is not a function of the remote server, it's a function of the node. It occurs in every connection made from that node, regardless of TCP or UDP designation. The whole "incrementing source port" thingy is more commonly refered to by people who aren't messageboard monkeys talking networking as, "ephemeral ports".</p><p></p><p>An inbound access control lists can possess up to and including layer 4 information. Layer 4, of the OSI model, meaning transport layer or otherwise known as the layer where ports are defined, along with a dozen other components which aren't important to this discussion. HTTP, uses port 80...that's a "Layer 4" thing. Got it?</p><p></p><p>Now, an access list has to be explicitely told what to permit/deny inbound or outbound, depending on configuration. You can configure the "established" parameter in an ACL and it will verify the incoming TCP packet is not have the SYN bit set, but rather the SYN-ACK, ACK, FIN, or PUSH. SYN designates the first packet in a communication and thus, is not part of an already established connection. The "established" parameter ensures that any connection (TCP) that originated from the inside is allowed to return.</p><p></p><p>This DOESN'T apply to UDP because UDP, unlike TCP, isn't stateful. Which is to say, there is no three-way handshake that takes place before a connection is established. There is no UDP version of SYN, or FIN...or anything in between. UDP employs unreliable delivery. As such, you cannot configure an "established" parameter because the router or firewall has no means of determining which packet in a UDP was the first, or the second, or the three hundredth forty ninth, and so forth.</p><p></p><p>Without the ability to permit any internally originated UDP back in - you have to explicitely permit which ports you want to permit. Since your nodes ephemeral port could be anything in this range:</p><p></p><p>1024-65535</p><p></p><p>You'd have to permit the whole range in order to safely allow connections in each and every time. However, you'd never want to do that. You wouldn't want to poke a hole that large into your ACL or firewall ruleset, it negates the point of having access control. If you're going to do that, you might as well create a rule in your router that states.</p><p></p><p>Source - Any</p><p>Destination - Any</p><p>Protocol - IP</p><p>Action - Permit</p><p></p><p>Then, you don't have to worry about UDP (or) TCP sessions being denied at your perimeter. You're also sitting plainly out on the Internet. </p><p></p><p>But, I doubt you have the brainpan to understand the details of that discussion. You'd best just stick to silly little Linksys devices, which are Cisco Systems hardware, and think you've got an actual router sitting at home and that said "router" is actually capable of.</p><p></p><p>Your move.</p></blockquote><p></p>
[QUOTE="Guest, post: 130593"] The mere concept of comparing brain pans with you would be insulting to anyone who possess intelligence greater than that of a trained monkey. However, I'll gladly accept. Let's talk routers, shall we? How about TCP/UDP, stateful firewall inspection and application layer intelligence, and how it all can be discussed in the same topic. Now, I'll start, and I want YOU to add something intelligent to the conversation. Sound good? mmmkay. The sequential port designation of the source port is not a function of the remote server, it's a function of the node. It occurs in every connection made from that node, regardless of TCP or UDP designation. The whole "incrementing source port" thingy is more commonly refered to by people who aren't messageboard monkeys talking networking as, "ephemeral ports". An inbound access control lists can possess up to and including layer 4 information. Layer 4, of the OSI model, meaning transport layer or otherwise known as the layer where ports are defined, along with a dozen other components which aren't important to this discussion. HTTP, uses port 80...that's a "Layer 4" thing. Got it? Now, an access list has to be explicitely told what to permit/deny inbound or outbound, depending on configuration. You can configure the "established" parameter in an ACL and it will verify the incoming TCP packet is not have the SYN bit set, but rather the SYN-ACK, ACK, FIN, or PUSH. SYN designates the first packet in a communication and thus, is not part of an already established connection. The "established" parameter ensures that any connection (TCP) that originated from the inside is allowed to return. This DOESN'T apply to UDP because UDP, unlike TCP, isn't stateful. Which is to say, there is no three-way handshake that takes place before a connection is established. There is no UDP version of SYN, or FIN...or anything in between. UDP employs unreliable delivery. As such, you cannot configure an "established" parameter because the router or firewall has no means of determining which packet in a UDP was the first, or the second, or the three hundredth forty ninth, and so forth. Without the ability to permit any internally originated UDP back in - you have to explicitely permit which ports you want to permit. Since your nodes ephemeral port could be anything in this range: 1024-65535 You'd have to permit the whole range in order to safely allow connections in each and every time. However, you'd never want to do that. You wouldn't want to poke a hole that large into your ACL or firewall ruleset, it negates the point of having access control. If you're going to do that, you might as well create a rule in your router that states. Source - Any Destination - Any Protocol - IP Action - Permit Then, you don't have to worry about UDP (or) TCP sessions being denied at your perimeter. You're also sitting plainly out on the Internet. But, I doubt you have the brainpan to understand the details of that discussion. You'd best just stick to silly little Linksys devices, which are Cisco Systems hardware, and think you've got an actual router sitting at home and that said "router" is actually capable of. Your move. [/QUOTE]
Verification
Post reply
Anything & Everything
Off Topic Chat
Router Question
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…
Top