Date: Thu, 14 Jan 1999 17:54:01 +0100 (MET) From: Martin Machacek <mm@i.cz> To: security@FreeBSD.ORG Subject: Re: examples rules ipfw Message-ID: <XFMail.990114175401.mm@i.cz> In-Reply-To: <19990114153709.A88792@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14-Jan-99 Eivind Eklund wrote: > On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote: > If you need another secure approach, look at libalias. > > It contains my code for automatically creating tiny 'holes' in the > firewall just allowing one specific connection through. > > Unfortunately, there are not any clients in FreeBSD that use that as > of today, but you should be able to build it into natd and ppp fairly > easily (it is only two function calls to enable it; one to set the > rule number range in the firewall rules to use for creating 'holes', > and one to enable the flag). > > I guess the code could be adapted to be usable in environments without > NAT, but I haven't really looked into it. I don't really approve of > using pure packet filters for a firewall. Do you think that this feature could be used to run rsh from net with private IP addresses (RFC 1918) over NAT "firewall" (using natd) to machine in front of the firewall with public IP address? Of course it would require natd to be modified to utilize the PUNCH_FW feature. At present it is not possible to use rsh over natd because there is no application specific processing for rsh in libalias, so it does not allow the reverse channel carrying stderr data through (at least if you have the deny_incoming feature of natd on - which I definitely want to have). I could eventualy do the necessary mod to natd/libalias (using PUNCH_FW). On the other hand I'm afraid that I don't have enough time to implement (and test) the full application specific processing for rsh in libalias. If the PUNCH_FW feature of libalias could make it easier, I may try it. I've briefly looked at it and it seems to be pretty straight forward, but I'm not sure that it could be used for this purpose. Martin --- [PGP KeyID F3F409C4]] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990114175401.mm>