From owner-freebsd-security Sun Jun 27 4: 7:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 8E46E14C3E for ; Sun, 27 Jun 1999 04:07:36 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id NAA18018; Sun, 27 Jun 1999 13:07:05 +0200 (CEST) Message-ID: <19990627130705.A11859@foobar.franken.de> Date: Sun, 27 Jun 1999 13:07:05 +0200 From: Harold Gutch To: Mark Newton , Michael Maxwell Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewalling problem. References: <19990626210402.B1580@atlas.topquark.org> <199906270218.LAA42821@atdot.dotat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199906270218.LAA42821@atdot.dotat.org>; from Mark Newton on Sun, Jun 27, 1999 at 11:48:51AM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jun 27, 1999 at 11:48:51AM +0930, Mark Newton wrote: > Michael Maxwell wrote: > > > Problem: > > I cannot allow my local net machines to talk outside to the net and still > > have a useful firewall at the same time. The rule that allows the local > > hosts to talk outside completely defeats the purpose of having any OTHER > > rules in the first place (ipfw allow ip from any to any). I have tried > > restricting the first "any" to :, but this also does not > > work. > > Read up the manpage for the "established" keyword. > I may be wrong, but IIRC, the actual talk-connection is established between to arbitrary TCP-ports - port 518 is only used for the first "handshake", when checking wether the remote user is logged in, telling them the local port to connect to etc. AFAIK there is no way to allow talk without opening everything... > More generally, run out and buy a copy of "Building Internet Firewalls" > by Bellovin and Cheswick. > ... which (if I'm not mistaken) they say aswell (I again may be wrong, it's been a while since I had a *short* look at this book). bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message