Port blocking

Steve Holden steve at holdenweb.com
Mon Jan 10 20:06:59 EST 2005 

Ville Vainio wrote:

>>>>>>"Mark" == Mark Carter <cartermark46 at ukmail.com> writes:
> 
> 
>     Mark> Mark Carter wrote:
>     >> Paul Rubin wrote:
> 
>     >>> Usually you wouldn't run a public corba or pyro service over
>     >>> the internet.  You'd use something like XMLRPC over HTTP port
>     >>> 80 partly for the precise purpose of not getting blocked by
>     >>> firewalls.
> 
>     Mark> I'm not sure if we're talking at cross-purposes here, but
>     Mark> the application isn't intended for public consumption, but
>     Mark> for fee-paying clients.
> 
> Still, if the consumption happens over the internet there is almost
> 100% chance of the communication being prevented by firewalls.
> 
> This is exactly what "web services" are for.
> 
I teach the odd security class, and what you say is far from true. As 
long as the service is located behind a firewall which opens up the 
correct holes for it, it's most unlikely that corporate firewalls would 
disallow client connections to such a remote port.

Web services are for offering services despite the fact that the 
corporate firewall managers are valiantly trying to stop unknown 
services from presenting to the outside world (and my immediately 
preceding post tells you what I think of that idea).

The situation is analogous to connecting to web servers running on 
non-standard ports (8000 and 8080 are traditional favorites, but 
firewalls very rarely accord them any special treatment).

Most firewall configurations allow fairly unrestricted outgoing 
connections, limiting rules to sanity checking of addresses to ensure 
nobody inside the firewall is address spoofing. Incoming connections are 
usually limited to specific combinations of port number and IP address 
known to be legitimate corporate services to the external world. 
Firewalling web services effectively is just an additional pain for the 
network manager.

regards
  Steve
-- 
Steve Holden               http://www.holdenweb.com/
Python Web Programming  http://pydish.holdenweb.com/
Holden Web LLC      +1 703 861 4237  +1 800 494 3119

More information about the Python-list mailing list