From owner-freebsd-security Thu Jan 14 09:50:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA07311 for freebsd-security-outgoing; Thu, 14 Jan 1999 09:50:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA07291 for ; Thu, 14 Jan 1999 09:50:22 -0800 (PST) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id UAA03310; Thu, 14 Jan 1999 20:49:08 +0300 (MSK) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id UAA19748; Thu, 14 Jan 1999 20:49:14 +0300 (MSK) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Thu, 14 Jan 1999 20:49:00 +0300 Received: from undisclosed-intranet-sender id xma006923; Thu, 14 Jan 99 20:48:52 +0300 Date: Thu, 14 Jan 1999 20:47:44 +0300 Message-Id: <199901141747.UAA25352@paranoid.eltex.spb.ru> In-Reply-To: from "Martin Machacek " Organization: "Klingon Imperial Intelligence Service" Subject: Re: examples rules ipfw To: mm@i.cz Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nuqneH, More than strange way to do. natd is ugly. why not to use TIS fwtk instead? Martin Machacek said : > > On 14-Jan-99 Eivind Eklund wrote: > > On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote: > > If you need another secure approach, look at libalias. > > > > It contains my code for automatically creating tiny 'holes' in the > > firewall just allowing one specific connection through. > > > > Unfortunately, there are not any clients in FreeBSD that use that as > > of today, but you should be able to build it into natd and ppp fairly > > easily (it is only two function calls to enable it; one to set the > > rule number range in the firewall rules to use for creating 'holes', > > and one to enable the flag). > > > > I guess the code could be adapted to be usable in environments without > > NAT, but I haven't really looked into it. I don't really approve of > > using pure packet filters for a firewall. > > Do you think that this feature could be used to run rsh from net with > private IP addresses (RFC 1918) over NAT "firewall" (using natd) to machine > in front of the firewall with public IP address? Of course it would require natd > to be modified to utilize the PUNCH_FW feature. At present it is not possible to > use rsh over natd because there is no application specific processing for > rsh in libalias, so it does not allow the reverse channel carrying stderr data > through (at least if you have the deny_incoming feature of natd on - which I > definitely want to have). I could eventualy do the necessary mod > to natd/libalias (using PUNCH_FW). On the other hand I'm afraid that I don't > have enough time to implement (and test) the full application specific > processing for rsh in libalias. If the PUNCH_FW feature of libalias could make > it easier, I may try it. I've briefly looked at it and it seems to be pretty > straight forward, but I'm not sure that it could be used for this purpose. > > Martin > > --- > [PGP KeyID F3F409C4]] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message