[Freeipa-devel] [PATCH] 222 Sanitize UDP checks in conncheck
Martin Kosek
mkosek at redhat.com
Thu Feb 23 09:08:21 UTC 2012
An easy way to check if master->replica UDP port check actually works is
to simply configure few iptables rules to drop packets for tested UDP or
TCP ports:
A INPUT -m udp -p udp --dport 88 -j DROP
-A INPUT -m tcp -p tcp --dport 88 -j DROP
----
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.
This patch removes UDP port checks in replica->master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.
Direction master->replica was fixed and now it is able to report
error when the port is blocked.
https://fedorahosted.org/freeipa/ticket/2062
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-222-sanitize-udp-checks-in-conncheck.patch
Type: text/x-patch
Size: 9309 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120223/cfedb514/attachment.bin>
More information about the Freeipa-devel
mailing list