Subject: Re: CVS performance question & ipf rules
To: Conrad T. Pino <>
From: Bill Studenmund <>
List: current-users
Date: 02/06/2004 14:49:54
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 05, 2004 at 03:41:03PM -0800, Conrad T. Pino wrote:
> > From: On Behalf Of walt
> >=20
> > Brian A. Seklecki wrote:
> > >=20
> > > Walt: both cvs via pserver and cvs via ssh(1) use a single outbound T=
> > > socket...
> >=20
> > So, if I understand correctly, a normal 'cvs update' should NOT require
> > a *new* incoming tcp connection from the CVS server to my machine?
> This presumption is not correct.  A rule permitting inbound traffic IS
> needed but at STATIC rule i.e. "pass in" is an uneeded security risk.
> The STATIC "pass in" rule may allow *anyone* sending from port 2401 to
> use any destination port depending on how tightly the rule is written.

Huh??? cvs update from walt's net to the cvs server should _not_ require=20
connections incoming to walt's from the cvs server.

I've used both pserver and ssh-auth anonymous cvs servers from my home=20
net, which is behind a NAT. No incoming connections have been needed.

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)