Anonymous_User Absent Member.
Absent Member.
2033 views

Filtcfg for NCP and SLP

I am trying to only allow port 524 and port 427 only to my NetWare servers.

For some reason Filtcfg does not come pre-defined with NCP or SLP so I have
to create my own port entry.

1. For the definition does each port allow ANY connection? Or does NCP only
talk 524<->524.
2. Same for SLP.


Labels (2)
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Filtcfg for NCP and SLP

HeCtOr wrote:

> I am trying to only allow port 524 and port 427 only to my NetWare
> servers.
>
> For some reason Filtcfg does not come pre-defined with NCP or SLP so
> I have to create my own port entry.
>
> 1. For the definition does each port allow ANY connection? Or does
> NCP only talk 524<->524.


Inbound and Outbound NCP connections will look like:
1024-65535 -> 524

Keep in mind that you need rules two ways as all servers on either side
of the firewall can initiate a connection

> 2. Same for SLP.


Depends. If you use a DA then it will talk to the DA using 1024-65535
-> 427. If you don't use a DA it relies on multicast and you'll need to
allow that. I think it uses 224.0.1.22 but I could be wrong


--
Cheers,
Edward
0 Likes
Marcel_Cox Absent Member.
Absent Member.

Re: Filtcfg for NCP and SLP

For both NCP and SLP, be aware that both protocols can be used on UDP and
TCP.
For NCP, Novell clients will only use TCP by default. However some server
to server traffic could potentially be UDP and also Linux machines using
ncpmount will use UDP by default unless you explicitely specify tcp in the
ncpmount command.
For SLP, you will typically see both UDP and TCP traffic and you should
enable both. As far as I know, Novell products use 427 as source and as
destination port, but this may not be the case for all SLP traffic.
Overall, be aware of the potential negative side effects of enabling
filtering. For instance, workstation trying to make CIFS connections
before trying NCP will slow down. This is because without firewall, the
NetWare server will explicitely refuse the CIFS connection and the client
will notice immediately and give up. With firewall, the NetWare doesn't
reply at all and the client will have to wait for a timeout before giving
up.

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Filtcfg for NCP and SLP

Thank you Marcell and Edward.
"Marcel Cox" <Marcel_Cox@no-mx.forums.novell.com> wrote in message
news:iOoBm.18574$7G7.17397@kovat.provo.novell.com...
> For both NCP and SLP, be aware that both protocols can be used on UDP and
> TCP.
> For NCP, Novell clients will only use TCP by default. However some server
> to server traffic could potentially be UDP and also Linux machines using
> ncpmount will use UDP by default unless you explicitely specify tcp in the
> ncpmount command.
> For SLP, you will typically see both UDP and TCP traffic and you should
> enable both. As far as I know, Novell products use 427 as source and as
> destination port, but this may not be the case for all SLP traffic.
> Overall, be aware of the potential negative side effects of enabling
> filtering. For instance, workstation trying to make CIFS connections
> before trying NCP will slow down. This is because without firewall, the
> NetWare server will explicitely refuse the CIFS connection and the client
> will notice immediately and give up. With firewall, the NetWare doesn't
> reply at all and the client will have to wait for a timeout before giving
> up.
>
> --
> Marcel Cox
> http://support.novell.com/forums
> ------------------------------------------------------------------------
> Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.