Date: Mon, 21 Aug 1995 13:23:06 +0800 (HKT) From: "Raju M. Daryanani" <raju@rssd.hk.olivetti.com> To: gryphon@healer.com (Coranth Gryphon) Cc: hackers@freebsd.org Subject: Re: Screend Message-ID: <199508210530.AA02506@hk.super.net> In-Reply-To: <199508210423.AAA03247@healer.com> from "Coranth Gryphon" at Aug 21, 95 00:23:08 am
next in thread | previous in thread | raw e-mail | index | archive | help
According to Coranth Gryphon: > Says "Raju M. Daryanani" <raju@rssd.hk.olivetti.com>: > > The problem I've got with it is that [SCREEND] doesn't allow you to screen > > out incoming TCP SYN packets. That will force me to close out some ports > > on which I would like to allow outgoing connections. > Just block "reserved" from foreign hosts, and you're fine. Or if you have > an idea how to distinguish these packets easily, we can probaly find a way > to patch the source to fix this. What I was looking for was a filter that checked the flags in the packet. If only the SYN flag is on, then it is a new connection initiation, and I don't want any of those coming in to certain reserved ports (e.g. NBIOS-TCP). I do want to allow outgoing SYN packets and the corresponding incoming <SYN,ACK> packets so that we can access remote services. ipfw in FreeBSD does appear to support this, but screend seems to work purely on the basis of addresses and ports. ICMP packets are the only ones where it allows further tests on packet types. > I have patches ported that screen the local machine, as well as allowing > for screeing only the PPP interface on the local machine. I'd be interested in those. Raju -- Raju M. Daryanani | Email: raju@rssd.hk.olivetti.com Technical Support Manager | raju@hk.super.net, raju@air.org Products Division | Tel: +852 2979 2450 / Fax: +852 2802 6650 Olivetti (HK) Ltd. | [Finger for PGP key] [MIME understood]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508210530.AA02506>
