Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!zaphod.mps.ohio-state.edu!think.com!barmar
From: barmar@think.com (Barry Margolin)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Reducing the risks when conencting to an internet
Message-ID: <1990Nov25.001153.29911@Think.COM>
Date: 25 Nov 90 00:11:53 GMT
References: <3768@stl.stc.co.uk>
Sender: news@Think.COM
Organization: Thinking Machines Corporation, Cambridge MA, USA
Lines: 34

In article <3768@stl.stc.co.uk> neil@stl.stc.co.uk () writes:
>So, for example I have network 128.199, I could have an authorisation
>file like:-
>
># Source		Dest		Comment
># host.port		host.port
>
>*.smtp			mymailgw.smtp	Mail service inbound
>mymailgw.smtp		*.smtp		Mail service outbound
>128.199.200.*.ftp	*.ftp		FTP
>128.199.200.*.telnet	*.telnet	Telnet

The source port for connections is generally *not* the protocol's
well-known port.  The well-known port is normally only used as the
destination port.  The source port is usually a random port above 1024.

>Is this possible, or are we thinking in completely the wrong way ?
>At this stage it isn't necessary that the device exists in the UK,
>we can import if necessary.

cisco Gateway Servers can do packet filtering based on addresses and port
numbers.

>We also have an eye on the future, so the Vendor would need to offer
>support for OSI protocols.

cisco supports OSI protocols, although it doesn't yet seem to support them
in its filtering specifications.  It will probably come at some time,
thoug.
--
Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar