Date: Thu, 16 Aug 2001 15:27:50 +0200 From: "Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl> To: <freebsd-security@freebsd.org> Subject: IPFW and dynamic rules. Message-ID: <98829DC07ECECD47893074C4D525EFC31176AD@citsnl007.europe.intranet>
next in thread | raw e-mail | index | archive | help
After struggling for a few days, I came accross a rule to allow active
FTP out from my firewalled and masq'd clients.
# FTP - Allow access from our LAN to External FTP servers
#first is for the command channel
${fwcmd} add pass tcp from any to any 21 setup
#second is for the data channel...
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
Basically (if I understand it rght) the ftp server must send back the
data
from it's port 20... Which is how the protocol works. But I think it
means
that anyone writing a program that binds to (their) local port 20 can
access my
hosts.... Think it's too open? I do...
A better way (for me) to go would be if the firewall watched the FTP
outgoing
traffic then added a dynamic rule for the data channel back in...
I heard about the punch_fw option and that sounds great. But I want it
for more than just FTP and IRC DCC.
Is it possible to set up a rule that works a little like this:
internal host A connects to external host B
ipfw or natd then makes a dynamic rule that allows any traffic (or
traffic from specific ports) from host B back into the network.
After 5 minutes of inactivity, the rule is discarded.
Taking it one step further, I could even define different rules for
different situations.
FTP: watch outgoing some.host:21 and allow incomming some.host:20
mypc.home:1024 <> mypc.home:65535 until the activity finishes.
Quake: watch outgoing some.host:25970 and allow incomming
mypc.home:25000 <> mypc.home:29000 until the activity finishes.
ICQ (for file transfers): Watch outgoing some.host:X and allow incomming
mypc.home:Y <> mypc.home:Z until the activity finishes.
I know this is a little more overhead, but for my little home network I
would like the idea of being able to add this type of customized
filtering.
Can it be done?
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98829DC07ECECD47893074C4D525EFC31176AD>