Date: Thu, 14 Jan 1999 20:47:44 +0300 From: ark@eltex.ru To: mm@i.cz Cc: security@FreeBSD.ORG Subject: Re: examples rules ipfw Message-ID: <199901141747.UAA25352@paranoid.eltex.spb.ru> In-Reply-To: <XFMail.990114175401.mm@i.cz> from "Martin Machacek <mm@i.cz>"
next in thread | previous in thread | raw e-mail | index | archive | help
nuqneH,
More than strange way to do. natd is ugly. why not to use TIS fwtk
instead?
Martin Machacek <mm@i.cz> said :
>
> On 14-Jan-99 Eivind Eklund wrote:
> > On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote:
> > If you need another secure approach, look at libalias.
> >
> > It contains my code for automatically creating tiny 'holes' in the
> > firewall just allowing one specific connection through.
> >
> > Unfortunately, there are not any clients in FreeBSD that use that as
> > of today, but you should be able to build it into natd and ppp fairly
> > easily (it is only two function calls to enable it; one to set the
> > rule number range in the firewall rules to use for creating 'holes',
> > and one to enable the flag).
> >
> > I guess the code could be adapted to be usable in environments without
> > NAT, but I haven't really looked into it. I don't really approve of
> > using pure packet filters for a firewall.
>
> Do you think that this feature could be used to run rsh from net with
> private IP addresses (RFC 1918) over NAT "firewall" (using natd) to machine
> in front of the firewall with public IP address? Of course it would require natd
> to be modified to utilize the PUNCH_FW feature. At present it is not possible to
> use rsh over natd because there is no application specific processing for
> rsh in libalias, so it does not allow the reverse channel carrying stderr data
> through (at least if you have the deny_incoming feature of natd on - which I
> definitely want to have). I could eventualy do the necessary mod
> to natd/libalias (using PUNCH_FW). On the other hand I'm afraid that I don't
> have enough time to implement (and test) the full application specific
> processing for rsh in libalias. If the PUNCH_FW feature of libalias could make
> it easier, I may try it. I've briefly looked at it and it seems to be pretty
> straight forward, but I'm not sure that it could be used for this purpose.
>
> Martin
>
> ---
> [PGP KeyID F3F409C4]]
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901141747.UAA25352>