From owner-freebsd-security Sun Jun 27 4:29:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from alfik.ms.mff.cuni.cz (alfik.ms.mff.cuni.cz [195.113.19.71]) by hub.freebsd.org (Postfix) with ESMTP id 4EE1614DA8 for ; Sun, 27 Jun 1999 04:29:15 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from nenya.ms.mff.cuni.cz by alfik.ms.mff.cuni.cz; (8.8.8/v1.00/19990210.0854) id NAA01569; Sun, 27 Jun 1999 13:29:14 +0200 (MET DST) Received: from localhost by nenya.ms.mff.cuni.cz (SMI-8.6/SMI-SVR4) id NAA26875; Sun, 27 Jun 1999 13:24:44 +0200 Date: Sun, 27 Jun 1999 13:24:44 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" X-Sender: mencl@nenya To: freebsd-security@FreeBSD.ORG Subject: Re: firewalling problem. In-Reply-To: <19990627130705.A11859@foobar.franken.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Jun 1999, Harold Gutch wrote: > On Sun, Jun 27, 1999 at 11:48:51AM +0930, Mark Newton wrote: > > Michael Maxwell wrote: > > > > > Problem: > > > I cannot allow my local net machines to talk outside to the net and still > > > have a useful firewall at the same time. The rule that allows the local > > > hosts to talk outside completely defeats the purpose of having any OTHER > > > rules in the first place (ipfw allow ip from any to any). I have tried > > > restricting the first "any" to :, but this also does not > > > work. > > > > Read up the manpage for the "established" keyword. > > > I may be wrong, but IIRC, the actual talk-connection is > established between to arbitrary TCP-ports - port 518 is only > used for the first "handshake", when checking wether the remote > user is logged in, telling them the local port to connect to etc. > AFAIK there is no way to allow talk without opening everything... About two years ago, I wrote a program that allows that. It listens on the bpf, and when a talk request udp packet is intercepted, a rule is added to the firewall allowing the incomming tcp connection to pass through. The program worked fine, however, due to security concerns, it was not used finally - the case was, that the local network was considered untrusted, one of the reasons it was firewalled was, that local users would run http or ftp servers with illegal stuff on their machines, and with the this program running, they could make their servers reachable on arbitrary ports, although always only for a single machine. Nonetheless, if you trusted your local network, you'd be fine using it - incoming talk udp packets can be ignored, the tcp connection is opened in the opposite way the udp challenge went, so you have to care only about outgoing udp packets. If anybody is interested, I can post it somewhere. However, the program is written in a VERY BAD style (no options, everything hardcoded through defines), it needs a strong cleanup. But the functional mechanism is there. ... it uses ipfw (through ioctls), a port for IPFILTER would have to be made. Vladimir Mencl P.S.: But I see that this is not what the original question asked about. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message