Date: Sat, 27 Nov 1999 08:10:40 +0100 From: "Christian BRUNO" <brunoc@ifrance.com> To: <freebsd-ipfw@freebsd.org> Subject: new ipfw : non passive ftp and irc/dcc with firewalling Message-ID: <003801bf38a6$94c92500$31f436c1@ujfgrenoble.fr>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0035_01BF38AE.E51225E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable hello, this message was already posted to freebsd-hackers list, but this list = seems to be the right one for firewalling/address aliasing. i was modifying the libalias source to implement an h323 capability for = use with NATD and real firewalling ( i mean "deny of incoming tcp = connection setups" ) and i found a function that seems to be disabled in = my current fbsd 3.0 : the fwpunchhole() this function dynamically creates a rule in the firewall to allow an = incoming tcp setup from a host on a specific tcp port this allow non-passive FTP and IRC/DCC to work with a firewall rule like = : ## ipfw 10000 deny tcp from any to any in recv ppp0 setup my question : this function will disappear from the next IPFW release ?=20 what is your opinion about re-activating this piece of code in natd and = add a command line option to enable it ? this would solve my problem : when i get an incoming H323 call setup = (through ipfw DIVERT, i update the h323 session state but the packet is = blocked later by the rule "deby tcp setup") is there another way to = achieve this and allow this particular packet to go throught the = firewall without dynamically addind a new rule ? i think the new ipfw should allow "firewall holes" because many FreeBSD = boxes are used as routers/firewall in small networks (imo) thanks for your comments or ideas ! Regards Christian Bruno brunoc@ifrance.com ------=_NextPart_000_0035_01BF38AE.E51225E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2014.210" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#d0e4d0> <DIV><FONT face=3DArial>hello,</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>this message was already posted to = freebsd-hackers=20 list, but this list seems to be the right one for firewalling/address=20 aliasing.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial>i was modifying the libalias source to implement = an h323=20 capability for use with NATD and real firewalling ( i mean "deny of = incoming tcp=20 connection setups" ) and i found a function that seems to be disabled in = my=20 current fbsd 3.0 : the fwpunchhole()</FONT></DIV> <DIV><FONT face=3DArial>this function dynamically creates a rule in the = firewall=20 to allow an incoming tcp setup from a host on a specific tcp = port</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial>this allow non-passive FTP and IRC/DCC to work = with a=20 firewall rule like :</FONT></DIV> <DIV><FONT face=3DArial>## ipfw 10000 deny tcp from any to any in recv = ppp0=20 setup</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial>my question : this function will = disappear from the=20 next IPFW release ? </FONT></DIV> <DIV><FONT face=3DArial>what is your opinion about re-activating this = piece of=20 code in natd and add a command line option to enable it ?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial>this would solve my problem : when i get an = incoming H323=20 call setup (through ipfw DIVERT, i update the h323 session state but the = packet=20 is blocked later by the rule "deby tcp setup") is there another way to = achieve=20 this and allow this particular packet to go throught the firewall = without=20 dynamically addind a new rule ?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial>i think the new ipfw should allow "firewall = holes"=20 because many FreeBSD boxes are used as routers/firewall in small = networks=20 (imo)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial>thanks for your comments or ideas !</FONT></DIV> <DIV><FONT face=3DArial>Regards</FONT></DIV> <DIV><FONT face=3DArial>Christian Bruno</FONT></DIV> <DIV><FONT face=3DArial><A=20 href=3D"mailto:brunoc@ifrance.com">brunoc@ifrance.com</A></FONT></DIV> <DIV> </DIV> <DIV> </DIV></BODY></HTML> ------=_NextPart_000_0035_01BF38AE.E51225E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003801bf38a6$94c92500$31f436c1>