Issue 2304: issue with TCPfirewallMechanism (firewall-rtf) Source: (, ) Nature: Uncategorized Issue Severity: Summary: Summary: The issue comes from the following configuration: Client - Tcp Firewall - Giop Proxy Server - Server The server"s IOR will contains a FirewallComponent, which includes two FirewallMechanisms - a TcpFirewallMechanism and a GIOPProxy. The issue comes when the GIOP Proxy has multiple profiles, which may have different host/port, and the TcpFirewallMechanism can only have one host/port. Does that mean for any host/port specified in one of the GIOP Proxy "s profiles, you always to connect to the host/port specified in the TcpFirewallMechanism? This seems unrealistic since the Tcp firewall usually provide a one-to-one mapping. Resolution: Revised Text: Actions taken: January 13, 1999: received issue Discussion: End of Annotations:===== From: "Martin Chapman" To: Subject: FW: issue with TCPfirewallMechanism Date: Wed, 13 Jan 1999 12:53:57 -0000 X-MSMail-Priority: Normal Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 can you register this as a firewall issue please. Martin. -----Original Message----- From: Wei Chen [mailto:wchen@inprise.com] Sent: 11 January 1999 19:29 To: firewall-rtf Subject: issue with TCPfirewallMechanism Hi, all The issue comes from the following configuration: Client - Tcp Firewall - Giop Proxy Server - Server The server's IOR will contains a FirewallComponent, which includes two FirewallMechanisms - a TcpFirewallMechanism and a GIOPProxy. The issue comes when the GIOP Proxy has multiple profiles, which may have different host/port, and the TcpFirewallMechanism can only have one host/port. Does that mean for any host/port specified in one of the GIOP Proxy 's profiles, you always to connect to the host/port specified in the TcpFirewallMechanism? This seems unrealistic since the Tcp firewall usually provide a one-to-one mapping. - Wei Chen X-Authentication-Warning: marcy.adiron.com: polar owned process doing -bs Date: Mon, 29 Nov 1999 13:54:56 -0500 (EST) From: Polar Humenn To: Martin Chapman cc: Paul Kyzivat , firewall-rtf@omg.org Subject: RE: Round 1 In-Reply-To: <002c01bf3a85$8fe25760$4d01020a@leo.dublin.iona.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-UIDL: 2&"!!\!C!!~W/e98:B!! Issue 2304: Intert the following paragraph after the first paragraph on the page: "It should be noted that an IOR for an object may contain serveral addresses, in the form of multiple profiles, or alternate addresses within a profile. A TCP firewall can only be used to reach an address if it is configured to do so, therefore care must be taken when creating IORs and configuring TCP firewalls: excesive use of multiple addresses in an IOR profile in the presence of TCP firewalls will either result in a configuration nightmare or a high rate of connection refusals. Care must particularly be taken when GIOP Proxy objects are installed behind a TCP firewall;there is not much point in having mutiple addresses in a proxy's IOR if the TCP firewall is not configured to handle them all." I would get rid of the retorical comments "ecessive", "configuration nightmare", and "there is not much point ..." How about: "It should be noted that an IOR for an object may contain serveral addresses, which may be in the form of multiple profiles or alternate addresses within a profile. Use of multiple addresses in an IOR in the presence of TCP firewalls may cause complex TCP firewall configuration issues to arrise. Careful attention must be paid to configure the TCP firewall to handle all of the addresses." The point about "connection refusals" is not really needed since we are not in the business of defining what TCP firewalls due or cause. Cheers, -Polar ------------------------------------------------------------------- Polar Humenn Adiron, LLC Principal 2-212 Center for Science & Technology mailto:polar@adiron.com CASE Center/Syracuse University Phone: 315-443-3171 Syracuse, NY 13244-4100 Fax: 315-443-4745 http://www.adiron.com Date: Mon, 29 Nov 1999 23:50:59 +0000 From: Owen Rees To: mchapman@iona.com, firewall-rtf@omg.org Subject: RE: Round 1 - issue 2304 Message-ID: <3321621444.943919459@localhost> In-Reply-To: <001701bf3a6e$650b0da0$4d01020a@leo.dublin.iona.ie> X-Mailer: Mulberry (Win32) [2.0.0b1, s/n P005-300802-002] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Content-Type: text/plain; charset=us-ascii X-UIDL: @(F!!S%c!!edEe9;e1!! --On 29 November 1999 13:34 +0000 Martin Chapman wrote: > Issue 2304: issue with TCPfirewallMechanism (firewall-rtf) > > Click here for this issue's archive. > Nature: Uncategorized Issue > Severity: > Summary: An IOR may contain mutiple addresses since it may have > mutiple > profiles and a profile may have mutiple addresses. A TCP firewall > maps > one incomming port to one outgoing port. If the TCP firewall is not > set > up correctly not all of the addresses on an IOR maybe reachable > through > the tcp firewall. > Resolution: There is very little the spec can say on > this since TCP firewalls have a well defined behaviour that cannot > be > changed by this spec. However the issue should be noted in the > specification. Proposed resolution is fine - I don't have a strong opinion on this one. Regards, Owen Rees Hewlett Packard Laboratories, Bristol, UK tel: +44 117 312 9439 fax: +44 117 312 9285