From owner-freebsd-security  Thu Jan 14 11:13:57 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA20725
          for freebsd-security-outgoing; Thu, 14 Jan 1999 11:13:57 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA20717
          for <security@FreeBSD.ORG>; Thu, 14 Jan 1999 11:13:53 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id UAA19353;
	Thu, 14 Jan 1999 20:12:43 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id UAA90029;
	Thu, 14 Jan 1999 20:12:41 +0100 (MET)
Date: Thu, 14 Jan 1999 20:12:40 +0100
From: Eivind Eklund <eivind@FreeBSD.ORG>
To: Martin Machacek <mm@i.cz>
Cc: security@FreeBSD.ORG
Subject: Re: examples rules ipfw
Message-ID: <19990114201240.B88792@bitbox.follo.net>
References: <19990114153709.A88792@bitbox.follo.net> <XFMail.990114175401.mm@i.cz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <XFMail.990114175401.mm@i.cz>; from Martin Machacek on Thu, Jan 14, 1999 at 05:54:01PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Jan 14, 1999 at 05:54:01PM +0100, Martin Machacek wrote:
> 
> On 14-Jan-99 Eivind Eklund wrote:
> > On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote:
> > If you need another secure approach, look at libalias.
> > 
> > It contains my code for automatically creating tiny 'holes' in the
> > firewall just allowing one specific connection through.
> > 
> > Unfortunately, there are not any clients in FreeBSD that use that as
> > of today, but you should be able to build it into natd and ppp fairly
> > easily (it is only two function calls to enable it; one to set the
> > rule number range in the firewall rules to use for creating 'holes',
> > and one to enable the flag).
> > 
> > I guess the code could be adapted to be usable in environments without
> > NAT, but I haven't really looked into it.  I don't really approve of
> > using pure packet filters for a firewall.
> 
> Do you think that this feature could be used to run rsh from net with
> private IP addresses (RFC 1918) over NAT "firewall" (using natd) to machine
> in front of the firewall with public IP address?

I don't know - I've not looked at the rsh protocol at all.  I didn't
even know it was an active protocol (ie, used backward connections).

Any reason you can't use ssh?

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message