Date: 20 Oct 1999 17:08:00 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: "Patrick Bihan-Faou" <patrick@mindstep.com> Cc: "matt" <matt@BabCom.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: ipfw rule wrong in rc.firewall(?) Message-ID: <xzppuyahxyn.fsf@flood.ping.uio.no> In-Reply-To: "Patrick Bihan-Faou"'s message of "Wed, 20 Oct 1999 10:33:05 -0400" References: <19991020104749.B17206@relay.ucb.crimea.ua> <Pine.BSF.4.20.9910200503320.40234-100000@s01.arpa-canada.net> <009001bf1b08$05ad6040$190aa8c0@local.mindstep.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Patrick Bihan-Faou" <patrick@mindstep.com> writes: > I guess it would add a couple of keywords in the lines of: > > ipfw add allow udp from ${oip} to any 53 monitor 10 > ipfw add allow udp from any to any established > ipfw add deny udp from any to any > > where "monitor" indicates that we want to allow the return data flow, 10 is > a time-out value (packets must be no more that 10 seconds apart from one > another). Sounds like a good idea, but you may want to do something a little bit more fancy than just accepting the packets unconditionally. If you teach ipfw the notion of temporary rules (add a ttl field to the rule structure, and remove the rule when the ttl reaches 0), the effect of a "monitor" rule would simply be to add a temporary rule with a preselected rule number. That way, you can view and delete automagic rules manually. You might also want to have those automagic rules be 'skipto' rules rather than 'allow' rules, so you can do arbitrarily complex processing of those packets. > If I have some time (in my dreams) I will look at implementing that > scheme... In the meantime, I hope to get some comments on that idea... I'll look into it this weekend, provided that I get the capabilities stuff done first and the ipfw kernel code isn't as ugly as the ipfw userland code. Hmm... now that I think of it, the userland code is so ugly I'm tempted to rewrite it, just on general principles *grin* Well, you got my comments, anyway. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzppuyahxyn.fsf>