From owner-freebsd-questions Mon Jun 17 6:19:30 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.a1poweruser.com (oh-chardon6a-62.clvhoh.adelphia.net [68.65.175.62]) by hub.freebsd.org (Postfix) with ESMTP id E592E37B40E for ; Mon, 17 Jun 2002 06:19:22 -0700 (PDT) Received: from barbish (unknown [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id D439D10F; Mon, 17 Jun 2002 09:22:18 -0400 (EDT) Reply-To: From: "Joe & Fhe Barbish" To: "Alexander V Zubchenko" Cc: "FBSDQ" Subject: RE: How to use natd -punch_fw Date: Mon, 17 Jun 2002 09:19:20 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20020617085417.S9334-100000@server.hermes-comp.zp.ua> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thank you Alexander for this information about the basenumber and count values for the -punch_fw natd command. I understand the basenumber is the statement number in the ipfw rules file where -punch_fw function will insert it's dynamically created rules, and the count value being the max number of dynamically rules which are allowed to be created. Why such a large value (200) for the count? I can code 2 keep-state rules to allow FTP in & out. What is this function doing that it needs 200 rules? What kind of dynamic ipfw rules is -punch_fw creating and inserting into the ipfw rules table on the fly? (stateless, setup/establisted, keep-state/check-state) The man doc says -punch_fw will dynamic create ipfw rules for FTP/IRC/DCC connections. What if I only want -punch_fw for FTP outbound to public internet, I don't see how to just get this variation. Using -punch_fw will allow setup requests for outbound and inbound packets for all 3 connections FTP/IRC/DCC, this sure seems like a very big security hole. Without the means to specify which connection type to allow and the direction of the connection to allow, this natd option is useless and a security risk. This -punch_fw function should really be an option on the ipfw rules statement so selection control can be achieved instead of an NATD option. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Alexander V Zubchenko Sent: Monday, June 17, 2002 1:59 AM To: Joe & Fhe Barbish Cc: FBSDQ Subject: Re: How to use natd -punch_fw Greetings! On Sat, 15 Jun 2002, Joe & Fhe Barbish wrote: > -punch_fw basenumber:count > This option directs natd to ``punch holes'' in an > ipfirewall(4) based firewall for FTP/IRC DCC connections. > This is done dynamically by installing temporary firewall > rules which allow a particular connection (and only that con > nection) to go through the firewall. The rules are removed > once the corresponding connection terminates. So this is clear. This part explain what it supposed to do. > > A maximum of count rules starting from the rule number > basenumber will be used for punching firewall holes. The > range will be cleared for all rules on startup. This mean that real numbers depend on your firewall settings. Basenumber is number of first created rule. Count is maximum number of inserted rules. Look at Your firewall configuration, where You want to add this rules. E.g.: 100 check-state 500 deny log.... 65000 allow... And You want rules, created by the natd b inserted after check-state ('rule 100'). So use -punch_fw 101:300 (for example), or even better 200:200 (enough, imho, and left space for playing around with firewall setup by hands). This is information, i have. Hope, this help. Alexander V Zubchenko, E-Mail: stalker@hermes-comp.zp.ua System Administrator, WWW: http://www.hermes-comp.zp.ua/ Hermes-comp, Ukraine, Zaporizhzhya, Geroev Stalingrada 50 phone/fax: +380 612 64-19-72 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message