Posted by Jim Guerber (66.8.131.115) on December 05, 2004 at 16:58:41:
We recently made a change in CFAM to make it more secure. We decided to restrict the servers that CFAM talked to only non-routable IP addresses.
There is a range of these non-routable addresses for each of the three classes of IP addresses used for networking:
Range 1: Class A - 10.0.0.0 through 10.255.255.255
Range 2: Class B - 172.16.0.0 through 172.31.255.255
Range 3: Class C - 192.168.0.0 through 192.168.255.255
Any address within those ranges will not be accessable over the internet.
Well, we found a user that was using routable addresses within their local area network and relying on their firewall to prevent outsiders from getting to their workstations and servers.
In retrospect, it was a foolish decision on my part to restrict cfam in this way. If anything, we should have restricted CNS.
Anyway, this change was made in the 343 build and will be removed in the next release of CFAM.
So, here is my question: Should the Comet Server programs limit who can talk to them? The way they are now, without a firewall, a comet system anywhere can connect to a CometServe32 server over the internet. This can be very useful, or dangerous depending on the way you look at it.
We have protected the security server somewhat by allowing the administrator to set the "Limit to Class C IP Address" option.
What do you think? Is it important as a feature of Comet or should we all rely on firewall technology for this kind of security. After all, it is only Comet that can talk to CometServe because of the protocols involved.