Skip site navigation (1)Skip section navigation (2) 
Date:      20 Oct 1999 17:08:00 +0200
From:      Dag-Erling Smorgrav <des@flood.ping.uio.no>
To:        "Patrick Bihan-Faou" <patrick@mindstep.com>
Cc:        "matt" <matt@BabCom.ORG>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: ipfw rule wrong in rc.firewall(?)
Message-ID:  <xzppuyahxyn.fsf@flood.ping.uio.no>
In-Reply-To: "Patrick Bihan-Faou"'s message of "Wed, 20 Oct 1999 10:33:05 -0400"
References:  <19991020104749.B17206@relay.ucb.crimea.ua> <Pine.BSF.4.20.9910200503320.40234-100000@s01.arpa-canada.net> <009001bf1b08$05ad6040$190aa8c0@local.mindstep.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Patrick Bihan-Faou" <patrick@mindstep.com> writes:
> I guess it would add a couple of keywords in the lines of:
> 
> ipfw add allow udp from ${oip} to any 53 monitor 10
> ipfw add allow udp from any to any established
> ipfw add deny udp from any to any
> 
> where "monitor" indicates that we want to allow the return data flow, 10 is
> a time-out value (packets must be no more that 10 seconds apart from one
> another).

Sounds like a good idea, but you may want to do something a little bit
more fancy than just accepting the packets unconditionally.

If you teach ipfw the notion of temporary rules (add a ttl field to
the rule structure, and remove the rule when the ttl reaches 0), the
effect of a "monitor" rule would simply be to add a temporary rule
with a preselected rule number. That way, you can view and delete
automagic rules manually. You might also want to have those automagic
rules be 'skipto' rules rather than 'allow' rules, so you can do
arbitrarily complex processing of those packets.

> If I have some time (in my dreams) I will look at implementing that
> scheme... In the meantime, I hope to get some comments on that idea...

I'll look into it this weekend, provided that I get the capabilities
stuff done first and the ipfw kernel code isn't as ugly as the ipfw
userland code.

Hmm... now that I think of it, the userland code is so ugly I'm
tempted to rewrite it, just on general principles *grin*

Well, you got my comments, anyway.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzppuyahxyn.fsf>