LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall
120
Firewall
However, if the ser ver wants to sen d larger sets of d ata (e.g. TFTP) and would
not like or can not differentiate on the well known port between requests and
acknowledges, then it sends the response packets to the source port of the
sender of the original request, but uses as its own source port a free port, on
which it reacts now only to those packets, which belong to the data commu-
nication:
While the data communication takes place now over the ports 12345 and
54321, the server on the well-known port (69) can accept further requests. If
the LANCOM pursues a "Deny All" strategy, the answer packets of an entry of
the port filter Firewall, which permits only a connection to port 69 of the
server, would simply be discarded. In order to prevent this, when creating the
entry in the connection state database, the destination port of the connection
is kept free at first, and set only with the arrival of the first answer packet,
whereby both possible cases of an UDP connection are covered.
TCP connections
TCP connections cannot be tracked only by examination of the ports. With
some protocols (e.g. FTP, PPTP or H.323) examinations of the utilizable data
are necessary to open all later negotiated connections, and to accept only
those packets belonging really to the connections. This corresponds to a sim-
plified version of IP masquerading, but without addresses or ports to be re-
mapped here. It is sufficient to pursue the negotiation to open appropriate
ports, and link them with the main connection, so that these ports are closed
likewise with the closing of the main connection, and traffic on the secondary
connection keeping open also the main connection.
Client port Connection Server port
12345 Request 69
12345 Response 54321
12345 Ack/Data 54321
12345 Data/Ack 54321