[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

20031015: LDM 6.0.14 connection to portmap on RedHat 9



Rita,

>Date: Wed, 15 Oct 2003 16:47:25 -0500
>From: Rita Edwards <address@hidden>
>Organization: NASA
>To: Steve Emmerson <address@hidden>
>Subject: Re: 20031015: LDM 6.0.14 connection to portmap on RedHat 9

The above message contained the following:

> Just to provide a little information from my side.  The old ldm
> version (6.0.13) negotiated a higher level port after the validation
> occurred through the 388 port.  (The 388 port is opened in the
> firewall.  The port exceptions are for both UDP and TCP.)  The fact
> that the higher level port was/is dynamic does not affect the firewall
> exception for port 388.
> 
> Thus, a successfully connection with Red Hat 8.0 and ldm 6.0.13 would
> look like the following:
>     tcp 0 28 zeus.xxx.xxx.xxx:34542 aqua.xxx.xxx.xxx:ldm  ESTABLISHED
> (zeus is the client receiving data from the
> upstream host aqua)
> 
> What I am seeing with Carl's machine running Red Hat 7.2 and ldm
> 6.0.14 is the following:
>     tcp 0  0 branch.xxx.xxx.xxx:59336 tarzan.xxx.xxx.xxx:56143 ESTABLISHED
> (tarzan is the client receiving data from the upstream host branch).

The port utilization strategy of the LDM is unchanged from version
6.0.13 to 6.0.14.  So the difference in behavior must lie elsewhere.

Is the main LDM program on Tarzan set-uid-root?  The file is
bin/rpc.ldmd from the LDM user's home directory.

> The question becomes why are both machines using the higher level
> ports?  We were able to verify that the firewall interpreted the
> higher level port negotiation as the same connection. Thus, the use of
> the higher level port for the upstream host was allowed.  However, it
> still does not explain why the upstream host is not using port 388.
> 
> With Carl's Red Hat 9.0 system and the ldm 6.0.14,
> what was seen on the firewall was the following:
> 1.  A connection was made using the 388 port.
> 2.  Carl's machine issued a fin, and the connection
> was broken.
> 3.  Carl's machine then tried to reconnect using
> a higher level port.  However, the firewall interpreted 
> the connection as a NEW connection, and disallowed the
> use of the higher level port.  
> 
> I am not even sure what to ask for from the
> firewall guys.  I cannot request a dynamic upper
> level port for the ldm.
> 
> Thanks for the patience and help,
> Rita

Regards,
Steve Emmerson