Slide 5 of 17
The FTP server opens a passive connection on an
ephemeral port and tells the client which port to use. That means that
even PASV-mode FTP requires outward tcp connections to the whole range
of ephemeral ports. The conclusion is that to allow FTP clients on
the inside, we either have to open outward tcp to ports > 1023 (and
even that only gives you PASV-mode ftp), or we need stateful inspection.
There's a problem with kerberos (and hence AFS klog) in that the
clients use udp with ephemeral ports. A strict solution requires stateful
filtering, but it might be ok to have a rule that allows inward udp to the
ephemeral range provided the source is the kerberos port on afsdb1, 2, or 3.
That would allow a host that spoofs those sources to send udp packets
into bsdnet, but such spoofing could only be done from within the external
slac firewall (since rtr-dmz should prevent outsiders from spoofing slac