From owner-freebsd-hackers  Thu Mar  2 11:05:51 1995
Return-Path: hackers-owner
Received: (from majordom@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id LAA00206 for hackers-outgoing; Thu, 2 Mar 1995 11:05:51 -0800
Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5]) by freefall.cdrom.com (8.6.9/8.6.6) with ESMTP id LAA00193 for <hackers@FreeBSD.org>; Thu, 2 Mar 1995 11:05:36 -0800
Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id RAA10448; Thu, 2 Mar 1995 17:00:25 +0100
From: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Message-Id: <199503021600.RAA10448@labinfo.iet.unipi.it>
Subject: Re: Playing with ipfw...
To: rkw@dataplex.net (Richard Wackerbarth)
Date: Thu, 2 Mar 1995 17:00:24 +0100 (MET)
Cc: hackers@FreeBSD.org, ugen@netvision.net.il
In-Reply-To: <v02110102ab7b799a5340@[199.183.109.242]> from "Richard Wackerbarth" at Mar 2, 95 07:46:13 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1982      
Sender: hackers-owner@FreeBSD.org
Precedence: bulk

> 
> Luigi Rizzo <luigi@labinfo.iet.unipi.it> writes:
> 
> >I have been playing with ipfw lately.
> >[COMMENT] Quite often, allowing a service requires a two-line
> >   specification. As an example, I am using
> >
> >       ipfw addf accept udp from 0/0 520 to 0/0
> >       ipfw addf accept udp from 0/0 to 0/0 520
> >
> >    to let routing information pass to hosts in the subnet.
> >
> >    It would be nice to have a way to specify "one of the port
> >    numbers must be XXX". Is this supported by the system calls ?
> 
> perhaps the external language could accept
> 
> "ipfw addf accept udp between 0/0 520 and 0/0"

The thing is trickier, the case 0/0 to 0/0 is very special.

If I telnet from host a to host b, I have two types of packets:
one with

	SRC_IP= a, SRC_PORT= some_port, DST_IP= b, DST_PORT= 23

and the other with

	SRC_IP= b, SRC_PORT= 23, DST_IP= a, DST_PORT= some_port

so I need probably two rules in ipfw (if I understand well, the
fields passed to IPFW are matched with the IP/TCP/UDP headers).
If I want to pass telnet packets from b to a, two more packets are
present:

	SRC_IP= b, SRC_PORT= some_port, DST_IP= a, DST_PORT= 23
	SRC_IP= a, SRC_PORT= 23, DST_IP= b, DST_PORT= some_port

which means two more rules.

In my opinion, it makes no much sense in the user interface to
specify the source port. It would be less confusing to assume that
a port is actually a service, and filter access to services. I'd
like something like the following:

    accept tcp from source.host to dest.host portX

to mean "source.host is allowed access to service on portX on dest.host"

Of course I might be wrong.
	Luigi
====================================================================
Luigi Rizzo                     Dip. di Ingegneria dell'Informazione
email: luigi@iet.unipi.it       Universita' di Pisa
tel: +39-50-568533              via Diotisalvi 2, 56126 PISA (Italy)
fax: +39-50-568522
====================================================================