> From: current-users-owner@NetBSD.org On Behalf Of walt
> 
> Brian A. Seklecki wrote:
> > 
> > Walt: both cvs via pserver and cvs via ssh(1) use a single outbound TCP
> > socket...
> 
> So, if I understand correctly, a normal 'cvs update' should NOT require
> a *new* incoming tcp connection from the CVS server to my machine?

This presumption is not correct.  A rule permitting inbound traffic IS
needed but at STATIC rule i.e. "pass in" is an uneeded security risk.
The STATIC "pass in" rule may allow *anyone* sending from port 2401 to
use any destination port depending on how tightly the rule is written.

Brian suggested adding a "keep state" clause to your existing "pass out"
rule which will cause ipf to automatically add the needed inbound rule
for the connection.  The added rule is very specific (source and destination
port number specific, source and destination IP address specific) and time
limited to the duration of the connection.  Much safer than a static rule.

Check out: http://www.obfuscation.org/ipf/ipf-howto.html#TOC_20

> I suppose those 'incoming' connections from netbsd.org may result from
> my own impatience when I hit Ctl-C after waiting an hour for CVS to
> finish what used to take 15 minutes just last week?

No, I don't think so.  CVS server should send only in response to client's
requests.

> When I break an existing cvs update with Ctrl-C would the normal
> response of the CVS server be to try to establish a new tcp connection
> with my machine?

I would expect not except in reponse to an already pending request in
which case the client machine will reply "connection reset" which will
ends traffic from the server OR absent the "connection reset" the server
will time out and go away.