Subject: Re: CVS performance question & ipf rules
To: Conrad T. Pino <NetBSD-Current@Pino.com>
From: Bill Studenmund <email@example.com>
Date: 02/06/2004 14:49:54
Content-Type: text/plain; charset=us-ascii
On Thu, Feb 05, 2004 at 03:41:03PM -0800, Conrad T. Pino wrote:
> > From: current-users-owner@NetBSD.org On Behalf Of walt
> > Brian A. Seklecki wrote:
> > >=20
> > > Walt: both cvs via pserver and cvs via ssh(1) use a single outbound T=
> > > socket...
> > So, if I understand correctly, a normal 'cvs update' should NOT require
> > a *new* incoming tcp connection from the CVS server to my machine?
> This presumption is not correct. A rule permitting inbound traffic IS
> needed but at STATIC rule i.e. "pass in" is an uneeded security risk.
> The STATIC "pass in" rule may allow *anyone* sending from port 2401 to
> use any destination port depending on how tightly the rule is written.
Huh??? cvs update from walt's net to the cvs server should _not_ require=20
connections incoming to walt's from the cvs server.
I've used both pserver and ssh-auth anonymous cvs servers from my home=20
net, which is behind a NAT. No incoming connections have been needed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
-----END PGP SIGNATURE-----