From owner-freebsd-ipfw  Mon Jan 31 13:24:31 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132])
	by hub.freebsd.org (Postfix) with ESMTP id F3B6015048
	for <freebsd-ipfw@FreeBSD.ORG>; Mon, 31 Jan 2000 13:24:25 -0800 (PST)
	(envelope-from ahl@austclear.com.au)
Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1])
	by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA22377;
	Tue, 1 Feb 2000 08:24:22 +1100 (EST)
Received: from tungsten (tungsten [192.168.70.1])
        by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA15485;
        Tue, 1 Feb 2000 08:24:04 +1100 (EST)
Message-Id: <200001312124.IAA15485@tungsten.austclear.com.au>
X-Mailer: exmh version 2.1.1 10/15/1999
To: Marius Bendiksen <marius@marius.scancall.no>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Contracted firewall hack 
In-Reply-To: Message from Marius Bendiksen <marius@marius.scancall.no> 
   of "Mon, 31 Jan 2000 17:31:44 BST." <Pine.BSF.4.10.10001311728050.18891-100000@marius.scancall.no> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 01 Feb 2000 08:24:03 +1100
From: Tony Landells <ahl@austclear.com.au>
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> The application in question communicates over TCP port 1500, whence it
> requests a port for parts of the traffic sort of like what FTP does.

So have we--Sterling Commerce's CONNECT:Mailbox, which uses 10020 & 10021.

> We would be willing to pay to have a custom modification to the IPFW
> code which allows us to do this in a sensible manner.

Our sensible manner is:

cmhost=192.83.119.201/32	# IP address of CONNECT:Mailbox host
cm_cmd=10021			# CONNECT:Mailbox command channel, like FTP 21
cm_data=10020			# CONNECT:Mailbox data channel, like FTP 20

$fwcmd add pass tcp from any to ${cmhost} ${cm_cmd} setup
$fwcmd add pass tcp from ${cmhost} ${cm_data} to any setup

This follows all the normal stuff to do anti-spoofing, etc. and assumes
that there is a rule that says

$fwcmd add pass tcp from any to any established

I hope that helps,

Tony



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message