[e2e] Fwd: Camel's nose in the tent
Simon Josefsson
simon at josefsson.org
Tue Aug 14 12:26:02 PDT 2001
"Christian Huitema" <huitema at windows.microsoft.com> writes:
> The business of filtering based on port numbers is rapidly getting
> insane: blocking incoming 80, "transparent proxy" of outgoing 80,
> blocking 25... I think we should rewrite the browsers and SMTP agents to
> use alternate ports, picked more or less at random. In fact, we already
> have the tools to do that with the SRV records. I can think of a
> filter-breaker that will first try to access www.example.com:80, and if
> that breaks for any reason, try to resolve "_http._tcp.www.example.com
> IN SRV" -- et voila, alternate port number, filtering is defeated...
> Same could work for mail, etc.
Wouldn't it be easy for a firewall to use SRV records as well then?
E.g. the firewall rule would say "stop all packets for HTTP/TCP to
www.example.com" and the firewall would use SRVs, compared with the
traditional "stop all packets for port 80 to www.example.com".
More information about the end2end-interest
mailing list