--7qSK/uQB79J36Y4o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 05, 2004 at 03:41:03PM -0800, Conrad T. Pino wrote:
> > From: current-users-owner@NetBSD.org On Behalf Of walt
> >=20
> > Brian A. Seklecki wrote:
> > >=20
> > > Walt: both cvs via pserver and cvs via ssh(1) use a single outbound T=
CP
> > > socket...
> >=20
> > So, if I understand correctly, a normal 'cvs update' should NOT require
> > a *new* incoming tcp connection from the CVS server to my machine?
>=20
> This presumption is not correct.  A rule permitting inbound traffic IS
> needed but at STATIC rule i.e. "pass in" is an uneeded security risk.
> The STATIC "pass in" rule may allow *anyone* sending from port 2401 to
> use any destination port depending on how tightly the rule is written.

Huh??? cvs update from walt's net to the cvs server should _not_ require=20
connections incoming to walt's from the cvs server.

I've used both pserver and ssh-auth anonymous cvs servers from my home=20
net, which is behind a NAT. No incoming connections have been needed.

Take care,

Bill

--7qSK/uQB79J36Y4o
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD4DBQFAJBoSWz+3JHUci9cRAoK/AJd7rdniMiPG4GKcQliEJK4B8eYMAJ47Mb2M
9lNxkACl3a94oFtLbrcv1Q==
=bAx8
-----END PGP SIGNATURE-----

--7qSK/uQB79J36Y4o--