Date: Thu, 14 Jan 1999 20:47:44 +0300 From: ark@eltex.ru To: mm@i.cz Cc: security@FreeBSD.ORG Subject: Re: examples rules ipfw Message-ID: <199901141747.UAA25352@paranoid.eltex.spb.ru> In-Reply-To: <XFMail.990114175401.mm@i.cz> from "Martin Machacek <mm@i.cz>"
next in thread | previous in thread | raw e-mail | index | archive | help
nuqneH, More than strange way to do. natd is ugly. why not to use TIS fwtk instead? Martin Machacek <mm@i.cz> said : > > On 14-Jan-99 Eivind Eklund wrote: > > On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote: > > If you need another secure approach, look at libalias. > > > > It contains my code for automatically creating tiny 'holes' in the > > firewall just allowing one specific connection through. > > > > Unfortunately, there are not any clients in FreeBSD that use that as > > of today, but you should be able to build it into natd and ppp fairly > > easily (it is only two function calls to enable it; one to set the > > rule number range in the firewall rules to use for creating 'holes', > > and one to enable the flag). > > > > I guess the code could be adapted to be usable in environments without > > NAT, but I haven't really looked into it. I don't really approve of > > using pure packet filters for a firewall. > > Do you think that this feature could be used to run rsh from net with > private IP addresses (RFC 1918) over NAT "firewall" (using natd) to machine > in front of the firewall with public IP address? Of course it would require natd > to be modified to utilize the PUNCH_FW feature. At present it is not possible to > use rsh over natd because there is no application specific processing for > rsh in libalias, so it does not allow the reverse channel carrying stderr data > through (at least if you have the deny_incoming feature of natd on - which I > definitely want to have). I could eventualy do the necessary mod > to natd/libalias (using PUNCH_FW). On the other hand I'm afraid that I don't > have enough time to implement (and test) the full application specific > processing for rsh in libalias. If the PUNCH_FW feature of libalias could make > it easier, I may try it. I've briefly looked at it and it seems to be pretty > straight forward, but I'm not sure that it could be used for this purpose. > > Martin > > --- > [PGP KeyID F3F409C4]] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901141747.UAA25352>