IP and port numbers
Bob Cherry
cherry at banjo.com
Fri May 29 12:38:33 EDT 1998
At 07:15 AM 5/29/98 -0700, Chuck Bearden wrote:
>Close. /etc/services maps a service name to a port number and
>protocol. It is quite possible to run a service without it being in
>the /etc/services file, and it is quite possible to run a service on a
>given port other than the one actually mapped to that port in
>/etc/services.
Again, I agree however, one must have inetd or some similar program
running to do this. Both a client and a server need to be able to
communicate over the network in this manner. If Inetd, a standalone
daemon or other ??? aren't present, the host system won't respond.
>Not exactly. Router access lists can block traffic to and from hosts
>based on IP address, transport layer protocol, port number, and other
>criteria, but they have no effect on whether the host in question
>supports a given service on a given port. The only way to prevent a
>computer from running a service on a certain port is to configure the
>computer itself not to. AFAIK, router access lists don't operate on
>ethernet addresses, but am ready to stand corrected on that point.
Well, Cisco router lists can limit which hosts can access the network
over specified sockets. Thus, I can say the web server hosts can only
receive TCP on ports 80, 8080, etc. yet can send out using any port.
The FTP server gets 20 and 21; SMTP/POP3 servers get 25, 110, etc.
Since the traffic is blocked at the router, the host will never see it.
If your users on a host are trusted, you may also permit 'established'
ports in. Thus, if I originate an IRC connection, inbound traffic will
be allowed in to me but once I quit the session, it will then be blocked.
The first policy I enter is to deny everything and then I enter the
explicit permit policies and rules.
>The Win95 Policy Editor doesn't give you that kind of control,
>unfortunately. It will let you make Network Neighborhood disappear,
>however.
Bummer!
Bob
More information about the Web4lib
mailing list