Date: Thu, 20 Jun 2002 23:05:37 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "FBSDQ" <questions@FreeBSD.ORG> Subject: How to use natd -punch_fw Message-ID: <MIEPLLIBMLEEABPDBIEGOEFNCDAA.barbish@a1poweruser.com>
next in thread | raw e-mail | index | archive | help
Greetings! The man natd info says this, -punch_fw basenumber:count This option directs natd to ``punch holes'' in an ipfirewall(4) based firewall for FTP/IRC DCC connections. This is done dynamically by installing temporary firewall rules which allow a particular connection (and only that connection) to go through the firewall. The rules are removed once the corresponding connection terminates. A maximum of count rules starting from the rule number basenumber will be used for punching firewall holes. The range will be cleared for all rules on startup. This mean that real numbers depend on your firewall settings. *********** end of man page info ******************************** So I take it that the basenumber is the statement number in my ipfw rules file where I want the -punch_fw function to insert it's dynamically created rules, and the count value is the max number of dynamically rules which I am allowing it to create. Questions. How do I know how many lines in the ipfw rules file to reserve for the -punch_fw function? I can code 2 keep-state rules to allow passive FTP in & out. What kind of dynamic ipfw rules is -punch_fw creating and inserting into the ipfw rules table on the fly? (stateless, setup/establisted, keep-state/check-state) The man doc says -punch_fw will dynamic create ipfw rules for FTP/IRC/DCC connections. What if I only want -punch_fw for FTP outbound to public internet, I don't see how to just get this variation. The wording of the man info states that using -punch_fw will allow setup requests for for all 3 connection types FTP/IRC/DCC. To me I interpret this to means that once -punch_fw is enabled it will interrogate each packet that goes through natd looking for the start of an session for any of those 3 connection types, and if one is found it will automatically create dynamic source statements to insert into the ipfw rules file where I specified. So by using the -punch_fw command I am forced to accept by default to allow those 3 connection types to be used by my LAN users out to the public internet and for my ipfw firewall to allow in the same from public internet users. It's all 3 both ways or nothing. This sure seems like a very big security hole to me. Can anyone shed light on this subject? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGOEFNCDAA.barbish>