Date: Fri, 3 Mar 1995 10:30:41 +1100 (EST) From: Darren Reed <darrenr@vitruvius.arbld.unimelb.edu.au> To: luigi@labinfo.iet.unipi.it (Luigi Rizzo) Cc: rkw@dataplex.net, hackers@FreeBSD.org, ugen@netvision.net.il Subject: Re: Playing with ipfw... Message-ID: <199503022330.KAA09244@vitruvius.arbld.unimelb.EDU.AU> In-Reply-To: <199503021600.RAA10448@labinfo.iet.unipi.it> from "Luigi Rizzo" at Mar 2, 95 05:00:24 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some email I received from Luigi Rizzo, they wrote: > > > Luigi Rizzo <luigi@labinfo.iet.unipi.it> writes: > > > > >I have been playing with ipfw lately. > > >[COMMENT] Quite often, allowing a service requires a two-line > > > specification. As an example, I am using > > > > > > ipfw addf accept udp from 0/0 520 to 0/0 > > > ipfw addf accept udp from 0/0 to 0/0 520 > > > > > > to let routing information pass to hosts in the subnet. > > > > > > It would be nice to have a way to specify "one of the port > > > numbers must be XXX". Is this supported by the system calls ? > > > > perhaps the external language could accept > > > > "ipfw addf accept udp between 0/0 520 and 0/0" > > The thing is trickier, the case 0/0 to 0/0 is very special. > > If I telnet from host a to host b, I have two types of packets: > one with > > SRC_IP= a, SRC_PORT= some_port, DST_IP= b, DST_PORT= 23 > > and the other with > > SRC_IP= b, SRC_PORT= 23, DST_IP= a, DST_PORT= some_port > > so I need probably two rules in ipfw (if I understand well, the > fields passed to IPFW are matched with the IP/TCP/UDP headers). > If I want to pass telnet packets from b to a, two more packets are > present: > > SRC_IP= b, SRC_PORT= some_port, DST_IP= a, DST_PORT= 23 > SRC_IP= a, SRC_PORT= 23, DST_IP= b, DST_PORT= some_port > > which means two more rules. > > In my opinion, it makes no much sense in the user interface to > specify the source port. It would be less confusing to assume that > a port is actually a service, and filter access to services. I'd > like something like the following: > > accept tcp from source.host to dest.host portX > > to mean "source.host is allowed access to service on portX on dest.host" > > Of course I might be wrong. > Luigi You might want to checkout an alternative to "ipfw" for IP firewalling, which has a much clearer language for defining packet filters if you and others are finding "ipfw" to be somewhat confusing. For cases such as "0/0 0/0", keywords such as "any" are provided so that you don't really have to worry about what it does. For example: log in on le0 from any to any with ipopts block in log on le0 from any to any with short frag log in on le0 proto tcp from any to any port != 80 flags S block in log quick on le0 proto icmp from any to any icmp-type unreach block in log quick on le0 proto udp from any to any port = 2049 block in quick on le0 from any to any with ipopts pass in on le0 from any to any aren't very ambiguous. It'll take "host/#" or "from foo mask bar". checkout coombs.anu.edu.au:/pub/net/kernel/ip_fil2.5c.tar.Z darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503022330.KAA09244>