Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Mar 1995 17:00:24 +0100 (MET)
From:      Luigi Rizzo <luigi@labinfo.iet.unipi.it>
To:        rkw@dataplex.net (Richard Wackerbarth)
Cc:        hackers@FreeBSD.org, ugen@netvision.net.il
Subject:   Re: Playing with ipfw...
Message-ID:  <199503021600.RAA10448@labinfo.iet.unipi.it>
In-Reply-To: <v02110102ab7b799a5340@[199.183.109.242]> from "Richard Wackerbarth" at Mar 2, 95 07:46:13 am
next in thread | previous in thread | raw e-mail | index | archive | help 
> 
> Luigi Rizzo <luigi@labinfo.iet.unipi.it> writes:
> 
> >I have been playing with ipfw lately.
> >[COMMENT] Quite often, allowing a service requires a two-line
> >   specification. As an example, I am using
> >
> >       ipfw addf accept udp from 0/0 520 to 0/0
> >       ipfw addf accept udp from 0/0 to 0/0 520
> >
> >    to let routing information pass to hosts in the subnet.
> >
> >    It would be nice to have a way to specify "one of the port
> >    numbers must be XXX". Is this supported by the system calls ?
> 
> perhaps the external language could accept
> 
> "ipfw addf accept udp between 0/0 520 and 0/0"

The thing is trickier, the case 0/0 to 0/0 is very special.

If I telnet from host a to host b, I have two types of packets:
one with

	SRC_IP= a, SRC_PORT= some_port, DST_IP= b, DST_PORT= 23

and the other with

	SRC_IP= b, SRC_PORT= 23, DST_IP= a, DST_PORT= some_port

so I need probably two rules in ipfw (if I understand well, the
fields passed to IPFW are matched with the IP/TCP/UDP headers).
If I want to pass telnet packets from b to a, two more packets are
present:

	SRC_IP= b, SRC_PORT= some_port, DST_IP= a, DST_PORT= 23
	SRC_IP= a, SRC_PORT= 23, DST_IP= b, DST_PORT= some_port

which means two more rules.

In my opinion, it makes no much sense in the user interface to
specify the source port. It would be less confusing to assume that
a port is actually a service, and filter access to services. I'd
like something like the following:

    accept tcp from source.host to dest.host portX

to mean "source.host is allowed access to service on portX on dest.host"

Of course I might be wrong.
	Luigi
====================================================================
Luigi Rizzo                     Dip. di Ingegneria dell'Informazione
email: luigi@iet.unipi.it       Universita' di Pisa
tel: +39-50-568533              via Diotisalvi 2, 56126 PISA (Italy)
fax: +39-50-568522
====================================================================

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503021600.RAA10448>