Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Jun 1999 13:24:44 +0200 (MET DST)
From:      "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: firewalling problem.
Message-ID:  <Pine.SO4.4.05.9906271307230.26451-100000@nenya>
In-Reply-To: <19990627130705.A11859@foobar.franken.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 27 Jun 1999, Harold Gutch wrote:

> On Sun, Jun 27, 1999 at 11:48:51AM +0930, Mark Newton wrote:
> > Michael Maxwell wrote:
> > 
> >  > Problem:
> >  >  I cannot allow my local net machines to talk outside to the net and still
> >  > have a useful firewall at the same time.  The rule that allows the local
> >  > hosts to talk outside completely defeats the purpose of having any OTHER
> >  > rules in the first place (ipfw allow ip from any to any).  I have tried
> >  > restricting the first "any" to <mynet>:<mymask>, but this also does not
> >  > work.
> > 
> > Read up the manpage for the "established" keyword.
> > 
> I may be wrong, but IIRC, the actual talk-connection is
> established between to arbitrary TCP-ports - port 518 is only
> used for the first "handshake", when checking wether the remote
> user is logged in, telling them the local port to connect to etc.
> AFAIK there is no way to allow talk without opening everything...


  About two years ago, I wrote a program that allows that. It listens on
the bpf, and when a talk request udp packet is intercepted, a rule is added 
to the firewall allowing the incomming tcp connection to pass through.

  The program worked fine, however, due to security concerns, it was not
used finally - the case was, that the local network was considered
untrusted, one of the reasons it was firewalled was, that local users
would run http or ftp servers with illegal stuff on their machines, and
with the this program running, they could make their servers reachable
on arbitrary ports, although always only for a single machine.

  Nonetheless, if you trusted your local network, you'd be fine using it
- incoming talk udp packets can be ignored, the tcp connection is opened
in the opposite way the udp challenge went, so you have to care only
about outgoing udp packets.

  If anybody is interested, I can post it somewhere. However, the
program is written in a VERY BAD style (no options, everything hardcoded
through defines), it needs a strong cleanup. But the functional
mechanism is there. ... it uses ipfw (through ioctls), a port for
IPFILTER would have to be made.


			Vladimir Mencl


P.S.: But I see that this is not what the original question asked about.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SO4.4.05.9906271307230.26451-100000>