From owner-freebsd-questions@FreeBSD.ORG Thu Jan 27 16:05:25 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E80716A4CE for ; Thu, 27 Jan 2005 16:05:25 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 532A343D3F for ; Thu, 27 Jan 2005 16:05:24 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [IPv6???1] (localhost.daemonsecurity.com [127.0.0.1]) by top.daemonsecurity.com (Postfix) with ESMTP id 32F0DFD068; Thu, 27 Jan 2005 17:05:22 +0100 (CET) Message-ID: <41F9113B.4090907@locolomo.org> Date: Thu, 27 Jan 2005 17:05:15 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050127 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: dick hoogendijk References: <20050124230407.1126e72b.dick@nagual.st> In-Reply-To: <20050124230407.1126e72b.dick@nagual.st> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: amsn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jan 2005 16:05:25 -0000 dick hoogendijk wrote: > Amsn states it needs port 1863 for chats and port 6891 for > filetransfers. > > Using ipf and being quit new to it), does that mean I do this both ways > (in/out) like: > > ## outgoing > > # Allow out msn messenger chatting and filetransfers > pass out quick on rl0 proto tcp from any to any port = 1863 flags S keep > state > pass out quick on rl0 proto tcp from any to any port = 6891 flags S keep > state > > ## incoming > # Allow in msn messenger chatting and filetransfers > pass in quick on rl0 proto tcp from any to any port = 1863 flags S keep > state > pass in quick on rl0 proto tcp from any to any port = 6891 flags S keep > state > > Or get I drop the incoming rules? Yes, you have keep state, and anyway the in-rules should be "from any port = xxxx to any" if they were needed. And now, you see how that would open your host for attacks. > ps: I like to test it, but don't know how to RESET ipf after making some > changes to the rules. I do know how to restart ipnat (-CF -f filename), > but what's the solution for ipf ?? I recommend using the feature of reading your ruleset into the passive table first, you can check that your rules parses, and you don't accidentally open your host (this feature is lacking on pf, I was flamed when requesting it). # flush inactive rules (if any) ipf -IFi && ipf -IFo # read new rules into inactive table ipf -I -f # swap rules ipf -s # cleanup: flush inactive rules (if any) ipf -IFi && ipf -IFo Instead of just swapping rules in, you might want to play it safe with ipf -s && sleep 60 && ipf -s Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2