From owner-freebsd-hackers  Sun Aug 20 22:31:01 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id WAA21120
          for hackers-outgoing; Sun, 20 Aug 1995 22:31:01 -0700
Received: from hk.super.net (hk.super.net [202.14.67.4])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id WAA21085
          for <hackers@freebsd.org>; Sun, 20 Aug 1995 22:30:50 -0700
Received: from rssd.hk.olivetti.com by hk.super.net with SMTP id AA02506
  (5.67b/IDA-1.5 for <@hk.super.net:hackers@freebsd.org>); Mon, 21 Aug 1995 13:30:34 +0800
Message-Id: <199508210530.AA02506@hk.super.net>
Subject: Re: Screend
To: gryphon@healer.com (Coranth Gryphon)
Date: Mon, 21 Aug 1995 13:23:06 +0800 (HKT)
From: "Raju M. Daryanani" <raju@rssd.hk.olivetti.com>
Cc: hackers@freebsd.org
In-Reply-To: <199508210423.AAA03247@healer.com> from "Coranth Gryphon" at Aug 21, 95 00:23:08 am
X-Mailer: ELM [version 2.4 PL21]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Content-Length: 1486
Sender: hackers-owner@freebsd.org
Precedence: bulk

According to Coranth Gryphon:

> Says "Raju M. Daryanani" <raju@rssd.hk.olivetti.com>:

> > The problem I've got with it is that [SCREEND] doesn't allow you to screen
> > out incoming TCP SYN packets.  That will force me to close out some ports
> > on which I would like to allow outgoing connections.

> Just block "reserved" from foreign hosts, and you're fine. Or if you have
> an idea how to distinguish these packets easily, we can probaly find a way
> to patch the source to fix this.

What I was looking for was a filter that checked the flags in the packet.
If only the SYN flag is on, then it is a new connection initiation, and I
don't want any of those coming in to certain reserved ports (e.g. NBIOS-TCP).
I do want to allow outgoing SYN packets and the corresponding incoming 
<SYN,ACK> packets so that we can access remote services.  ipfw in FreeBSD
does appear to support this, but screend seems to work purely on the
basis of addresses and ports.  ICMP packets are the only ones where it
allows further tests on packet types.

> I have patches ported that screen the local machine, as well as allowing
> for screeing only the PPP interface on the local machine.

I'd be interested in those.

Raju
-- 
Raju M. Daryanani          | Email: raju@rssd.hk.olivetti.com
Technical Support Manager  |        raju@hk.super.net, raju@air.org
Products Division          | Tel: +852 2979 2450 / Fax: +852 2802 6650
Olivetti (HK) Ltd.         | [Finger for PGP key] [MIME understood]