[32352] in North American Network Operators' Group
RE: Operational impact of filtering SMB/NETBIOS traffic?
daemon@ATHENA.MIT.EDU (Richard Welty)
Sun Nov 19 20:07:41 2000
Message-ID: <F5EC0261691CD411887200E018C19DAC04A0E9@TROYNT01>
From: Richard Welty <rwelty@vpnet.com>
To: Ethan Butterfield <primus@veris.org>,
Jim Mercer <jim@reptiles.org>
Cc: nanog@nanog.org
Date: Sun, 19 Nov 2000 20:04:34 -0500
MIME-Version: 1.0
Content-Type: text/plain
Errors-To: owner-nanog-outgoing@merit.edu
Ethan Butterfield [mailto:primus@veris.org] wrote:
> From: Jim Mercer <jim@reptiles.org>
> > as i understand it, ipsec doesn't use ports.
> Yes and no. IPSec uses UDP port 500 for the ISAKMP key
> exchange and the
> tunnel setup, but all other traffic is IP Protocol 50 (ESP)
> or 51 (AH).
> Most firewalls I've seen block wierd (i.e., just about
> everything that's
> not standard TCP or IP Protocol 1 (ICMP)) by default, or at
> least flag it
> as strange.
interestingly enough, ICSA firewall certification requires port 500
(ISAKMP) to be closed, so in theory, you cannot have an ICSA Firewall
that also does standards conforming IPSec.
there is a loophole, however. ICSA will let you off the hook if your
manuals explain how to turn off port 500 in your IPSec capable firewall
(or firewall capable IPSec box.)
richard
