[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using por numbers in selectors



Slava Kavsan wrote:
> 
> ...and what do you do if the Policy says use FTP port -  but FTP-data port
> is dynamically assigned? Same for HTTP.

I may be misunderstanding, but this sounds like an implementation
problem, and one that is completely unrelated to the original question
at that. First of all, the "protocols" supported as selectors only
include those IP protocols with IANA numbers, of which FTP is not one.

Secondly, if your configuration utility permits someone to specify "use
FTP port" with no further indication of what "FTP port" means, then I
guess it is up to your implementation to know that FTP runs over TCP,
and to dynamically track which TCP ports are being used for FTP by the
systems it is protecting. This is admittedly a can of worms, but I don't
think it means we shouldn't support port numbers (or ranges, or
wildcards) in selectors.

Scott


Follow-Ups: References: