From owner-freebsd-security Thu Jan 14 08:55:15 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA28482 for freebsd-security-outgoing; Thu, 14 Jan 1999 08:55:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kamna.i.cz (kamna.i.cz [193.85.255.30]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA28477 for ; Thu, 14 Jan 1999 08:55:12 -0800 (PST) (envelope-from mm@i.cz) Received: (qmail 11618 invoked from network); 14 Jan 1999 16:54:02 -0000 Received: from woody.i.cz (@193.85.255.60) by kamna.i.cz with SMTP; 14 Jan 1999 16:54:02 -0000 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <19990114153709.A88792@bitbox.follo.net> Date: Thu, 14 Jan 1999 17:54:01 +0100 (MET) Reply-To: mm@i.cz From: Martin Machacek To: security@FreeBSD.ORG Subject: Re: examples rules ipfw Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 14-Jan-99 Eivind Eklund wrote: > On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote: > If you need another secure approach, look at libalias. > > It contains my code for automatically creating tiny 'holes' in the > firewall just allowing one specific connection through. > > Unfortunately, there are not any clients in FreeBSD that use that as > of today, but you should be able to build it into natd and ppp fairly > easily (it is only two function calls to enable it; one to set the > rule number range in the firewall rules to use for creating 'holes', > and one to enable the flag). > > I guess the code could be adapted to be usable in environments without > NAT, but I haven't really looked into it. I don't really approve of > using pure packet filters for a firewall. Do you think that this feature could be used to run rsh from net with private IP addresses (RFC 1918) over NAT "firewall" (using natd) to machine in front of the firewall with public IP address? Of course it would require natd to be modified to utilize the PUNCH_FW feature. At present it is not possible to use rsh over natd because there is no application specific processing for rsh in libalias, so it does not allow the reverse channel carrying stderr data through (at least if you have the deny_incoming feature of natd on - which I definitely want to have). I could eventualy do the necessary mod to natd/libalias (using PUNCH_FW). On the other hand I'm afraid that I don't have enough time to implement (and test) the full application specific processing for rsh in libalias. If the PUNCH_FW feature of libalias could make it easier, I may try it. I've briefly looked at it and it seems to be pretty straight forward, but I'm not sure that it could be used for this purpose. Martin --- [PGP KeyID F3F409C4]] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message