Welcome Guest!
 Previous Message All Messages Next Message 
RE: Tunneling CPRS  David Sommers
 Aug 24, 2004 13:32 PDT 

SPI (stateful packet inspection) is the act of verifying the source and
target by not only the packet's header but also the contents. I'm
assuming that the RPC packet contents are not "standard" and closer to
what is considered proprietary.

This is what I did. I use both Smoothwall and IPCop (not on the same
subnet/route). IPCop has a cool feature (due to its use of iptables and
not ipchains although smooth has also switched to iptables as well) but
any popular firewall that's linux or not will work. (Microsoft ISA and
Cisco PIX are also very very powerful)
You can forward all ports from one IP on the Internet to a single
internal IP address.

Firewalls don't understand RPC calls because you initiate a call out to
9200 on the server but that random return connection is what screws up
the firewall. The key to that return is it's not a "response" - it's a
new connection to the client that's unsolicited. And it's that return
connection that isn't a "response" but a "new connection".

That's how it'll work across firewalls without tunneling. But VPN by
far is more secure and powerful. If you don't have the means to do it
with linux, Win 2000 and Win 2003 VPN setup is just so simple that it's

Hope that helps.


-----Original Message-----
From: Tomlinson, Steven B [mailto:steven.t-@med.va.gov]
Sent: Tuesday, August 24, 2004 3:44 PM
To: 'hard-@topica.com'
Subject: RE: [HARDHATS] Tunneling CPRS

Your free subscription is supported by today's sponsor:
Need cash fast? Get a $500 CASH ADVANCE overnight! Let
YourCashCentral get you the cash you need.

Although not an expert, here goes my take on your situation, if the
protecting the CPRS client is a Linux firewall using iptables then it
not be a problem.
I believe the firewall would need to use connection tracking (stateful
packet inspection). There's an excellent article on the subject at:

Let us know how it goes!

 -----Original Message-----
From: wagn-@musc.edu [mailto:wagn-@musc.edu]
Sent: Tuesday, August 24, 2004 9:03 AM
To: hard-@topica.com
Subject: [HARDHATS] Tunneling CPRS

Your free subscription is supported by today's sponsor:
Stories from the Civil Rights Movement. Extraordinary stories,
ordinary people. Share your memories today!

I have come across an issue that I'm sure others have solved.
So, I'd
like to know what options have been used. This is a simple firewall

The OpenVista server resides on a subnet behind a firewall. The CPRS
client machine is on a different subnet behind a different
firewall. I
can open port 9200 on the OpenVista firewall to get CPRS to
connect to
OpenVista. However, the connection is never complete.

Talking to Lloyd Milligan, I have discovered that OpenVista makes a
callback connection to CPRS on a random port. So, the
problem must be
that the firewall around the CPRS client is blocking that callback
connection. I cannot open the firewall there since I don't know what
port(s) to open.

I asked a less distinct question before and I was told that I
could use
SSH tunneling or VPN. How can either work in this case where
the port
it is connecting to is unkown?


Your free subscription is supported by today's sponsor:
Sponsor a child today through Children International.
Give a desperately poor child hope for a brighter future.
For only $18 a month you can make a difference!

Your free subscription is supported by today's sponsor:
Buy Stocks and Index Funds for just $4 No Account or
Investment Minimums and No Inactivity Fees Automatically
invest weekly or monthly and build your future.
 Previous Message All Messages Next Message 
  Check It Out!

  Topica Channels
 Best of Topica
 Art & Design
 Books, Movies & TV
 Food & Drink
 Health & Fitness
 News & Information
 Personal Finance
 Personal Technology
 Small Business
 Travel & Leisure
 Women & Family

  Start Your Own List!
Email lists are great for debating issues or publishing your views.
Start a List Today!

© 2001 Topica Inc. TFMB
Concerned about privacy? Topica is TrustE certified.
See our Privacy Policy.