Date: Mon, 17 Jun 2002 09:19:20 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "Alexander V Zubchenko" <stalker@hermes-comp.zp.ua> Cc: "FBSDQ" <questions@FreeBSD.ORG> Subject: RE: How to use natd -punch_fw Message-ID: <MIEPLLIBMLEEABPDBIEGKEPECCAA.barbish@a1poweruser.com> In-Reply-To: <20020617085417.S9334-100000@server.hermes-comp.zp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you Alexander for this information about the basenumber and count values for the -punch_fw natd command. I understand the basenumber is the statement number in the ipfw rules file where -punch_fw function will insert it's dynamically created rules, and the count value being the max number of dynamically rules which are allowed to be created. Why such a large value (200) for the count? I can code 2 keep-state rules to allow FTP in & out. What is this function doing that it needs 200 rules? What kind of dynamic ipfw rules is -punch_fw creating and inserting into the ipfw rules table on the fly? (stateless, setup/establisted, keep-state/check-state) The man doc says -punch_fw will dynamic create ipfw rules for FTP/IRC/DCC connections. What if I only want -punch_fw for FTP outbound to public internet, I don't see how to just get this variation. Using -punch_fw will allow setup requests for outbound and inbound packets for all 3 connections FTP/IRC/DCC, this sure seems like a very big security hole. Without the means to specify which connection type to allow and the direction of the connection to allow, this natd option is useless and a security risk. This -punch_fw function should really be an option on the ipfw rules statement so selection control can be achieved instead of an NATD option. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Alexander V Zubchenko Sent: Monday, June 17, 2002 1:59 AM To: Joe & Fhe Barbish Cc: FBSDQ Subject: Re: How to use natd -punch_fw Greetings! On Sat, 15 Jun 2002, Joe & Fhe Barbish wrote: > -punch_fw basenumber:count > This option directs natd to ``punch holes'' in an > ipfirewall(4) based firewall for FTP/IRC DCC connections. > This is done dynamically by installing temporary firewall > rules which allow a particular connection (and only that con > nection) to go through the firewall. The rules are removed > once the corresponding connection terminates. So this is clear. This part explain what it supposed to do. > > A maximum of count rules starting from the rule number > basenumber will be used for punching firewall holes. The > range will be cleared for all rules on startup. This mean that real numbers depend on your firewall settings. Basenumber is number of first created rule. Count is maximum number of inserted rules. Look at Your firewall configuration, where You want to add this rules. E.g.: 100 check-state 500 deny log.... 65000 allow... And You want rules, created by the natd b inserted after check-state ('rule 100'). So use -punch_fw 101:300 (for example), or even better 200:200 (enough, imho, and left space for playing around with firewall setup by hands). This is information, i have. Hope, this help. Alexander V Zubchenko, E-Mail: stalker@hermes-comp.zp.ua System Administrator, WWW: http://www.hermes-comp.zp.ua/ Hermes-comp, Ukraine, Zaporizhzhya, Geroev Stalingrada 50 phone/fax: +380 612 64-19-72 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEPECCAA.barbish>