Date: Thu, 16 Aug 2001 15:27:50 +0200 From: "Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl> To: <freebsd-security@freebsd.org> Subject: IPFW and dynamic rules. Message-ID: <98829DC07ECECD47893074C4D525EFC31176AD@citsnl007.europe.intranet>
next in thread | raw e-mail | index | archive | help
After struggling for a few days, I came accross a rule to allow active FTP out from my firewalled and masq'd clients. # FTP - Allow access from our LAN to External FTP servers #first is for the command channel ${fwcmd} add pass tcp from any to any 21 setup #second is for the data channel... ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup Basically (if I understand it rght) the ftp server must send back the data from it's port 20... Which is how the protocol works. But I think it means that anyone writing a program that binds to (their) local port 20 can access my hosts.... Think it's too open? I do... A better way (for me) to go would be if the firewall watched the FTP outgoing traffic then added a dynamic rule for the data channel back in... I heard about the punch_fw option and that sounds great. But I want it for more than just FTP and IRC DCC. Is it possible to set up a rule that works a little like this: internal host A connects to external host B ipfw or natd then makes a dynamic rule that allows any traffic (or traffic from specific ports) from host B back into the network. After 5 minutes of inactivity, the rule is discarded. Taking it one step further, I could even define different rules for different situations. FTP: watch outgoing some.host:21 and allow incomming some.host:20 mypc.home:1024 <> mypc.home:65535 until the activity finishes. Quake: watch outgoing some.host:25970 and allow incomming mypc.home:25000 <> mypc.home:29000 until the activity finishes. ICQ (for file transfers): Watch outgoing some.host:X and allow incomming mypc.home:Y <> mypc.home:Z until the activity finishes. I know this is a little more overhead, but for my little home network I would like the idea of being able to add this type of customized filtering. Can it be done? -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98829DC07ECECD47893074C4D525EFC31176AD>