Date: Thu, 27 Jan 2005 17:05:15 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: dick hoogendijk <dick@nagual.st> Cc: freebsd-questions@freebsd.org Subject: Re: amsn Message-ID: <41F9113B.4090907@locolomo.org> In-Reply-To: <20050124230407.1126e72b.dick@nagual.st> References: <20050124230407.1126e72b.dick@nagual.st>
next in thread | previous in thread | raw e-mail | index | archive | help
dick hoogendijk wrote: > Amsn states it needs port 1863 for chats and port 6891 for > filetransfers. > > Using ipf and being quit new to it), does that mean I do this both ways > (in/out) like: > > ## outgoing > > # Allow out msn messenger chatting and filetransfers > pass out quick on rl0 proto tcp from any to any port = 1863 flags S keep > state > pass out quick on rl0 proto tcp from any to any port = 6891 flags S keep > state > > ## incoming > # Allow in msn messenger chatting and filetransfers > pass in quick on rl0 proto tcp from any to any port = 1863 flags S keep > state > pass in quick on rl0 proto tcp from any to any port = 6891 flags S keep > state > > Or get I drop the incoming rules? Yes, you have keep state, and anyway the in-rules should be "from any port = xxxx to any" if they were needed. And now, you see how that would open your host for attacks. > ps: I like to test it, but don't know how to RESET ipf after making some > changes to the rules. I do know how to restart ipnat (-CF -f filename), > but what's the solution for ipf ?? I recommend using the feature of reading your ruleset into the passive table first, you can check that your rules parses, and you don't accidentally open your host (this feature is lacking on pf, I was flamed when requesting it). # flush inactive rules (if any) ipf -IFi && ipf -IFo # read new rules into inactive table ipf -I -f <rules> # swap rules ipf -s # cleanup: flush inactive rules (if any) ipf -IFi && ipf -IFo Instead of just swapping rules in, you might want to play it safe with ipf -s && sleep 60 && ipf -s Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41F9113B.4090907>