From owner-freebsd-security Thu Aug 16 6:24:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 9F35B37B405 for ; Thu, 16 Aug 2001 06:24:41 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) Received: by ING-mailhub; id PAA23298; Thu, 16 Aug 2001 15:26:34 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: IPFW and dynamic rules. Date: Thu, 16 Aug 2001 15:27:50 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <98829DC07ECECD47893074C4D525EFC31176AD@citsnl007.europe.intranet> X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-TNEF-Correlator: Thread-Topic: Quick IPFW Rule Question Thread-Index: AcEmUyQDKdtCLhnYSyyPdGIhzTmkmwAAmD4Q From: "Carroll, D. (Danny)" To: Importance: normal X-OriginalArrivalTime: 16 Aug 2001 13:27:55.0108 (UTC) FILETIME=[41CD7A40:01C12657] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After struggling for a few days, I came accross a rule to allow active FTP out from my firewalled and masq'd clients. # FTP - Allow access from our LAN to External FTP servers #first is for the command channel ${fwcmd} add pass tcp from any to any 21 setup #second is for the data channel... ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup Basically (if I understand it rght) the ftp server must send back the data from it's port 20... Which is how the protocol works. But I think it means that anyone writing a program that binds to (their) local port 20 can access my hosts.... Think it's too open? I do... A better way (for me) to go would be if the firewall watched the FTP outgoing traffic then added a dynamic rule for the data channel back in... I heard about the punch_fw option and that sounds great. But I want it for more than just FTP and IRC DCC. Is it possible to set up a rule that works a little like this: internal host A connects to external host B ipfw or natd then makes a dynamic rule that allows any traffic (or traffic from specific ports) from host B back into the network. After 5 minutes of inactivity, the rule is discarded. Taking it one step further, I could even define different rules for different situations. FTP: watch outgoing some.host:21 and allow incomming some.host:20 mypc.home:1024 <> mypc.home:65535 until the activity finishes. Quake: watch outgoing some.host:25970 and allow incomming mypc.home:25000 <> mypc.home:29000 until the activity finishes. ICQ (for file transfers): Watch outgoing some.host:X and allow incomming mypc.home:Y <> mypc.home:Z until the activity finishes. I know this is a little more overhead, but for my little home network I would like the idea of being able to add this type of customized filtering. Can it be done? -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message