[Freeipa-devel] [PATCH] 222 Sanitize UDP checks in conncheck
Rob Crittenden
rcritten at redhat.com
Mon Feb 27 16:19:25 UTC 2012
Martin Kosek wrote:
> An easy way to check if master->replica UDP port check actually works is
> to simply configure few iptables rules to drop packets for tested UDP or
> TCP ports:
>
> A INPUT -m udp -p udp --dport 88 -j DROP
> -A INPUT -m tcp -p tcp --dport 88 -j DROP
>
> ----
> UDP port checks in ipa-replica-conncheck always returns OK even
> if they are closed by a firewall. They cannot be reliably checked
> in the same way as TCP ports as there is no session management as
> in TCP protocol. We cannot guarantee a response on the checked
> side without our own echo server bound to checked port.
>
> This patch removes UDP port checks in replica->master direction
> as we would have to implement (kerberos) protocol-wise check
> to make the other side actually respond. A list of skipped
> ports is printed for user.
>
> Direction master->replica was fixed and now it is able to report
> error when the port is blocked.
>
> https://fedorahosted.org/freeipa/ticket/2062
ACK, pushed to master and ipa-2-2
More information about the Freeipa-devel
mailing list