Date: Thu, 16 Aug 2001 15:27:50 +0200 From: "Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl> To: <freebsd-security@freebsd.org> Subject: IPFW and dynamic rules. Message-ID: <98829DC07ECECD47893074C4D525EFC31176AD@citsnl007.europe.intranet>
next in thread | raw e-mail | index | archive | help
After struggling for a few days, I came accross a rule to allow active
FTP out from my firewalled and masq'd clients.
# FTP - Allow access from our LAN to External FTP servers
#first is for the command channel
${fwcmd} add pass tcp from any to any 21 setup
#second is for the data channel...
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
Basically (if I understand it rght) the ftp server must send back the
data
from it's port 20... Which is how the protocol works. But I think it
means
that anyone writing a program that binds to (their) local port 20 can
access my
hosts.... Think it's too open? I do...
A better way (for me) to go would be if the firewall watched the FTP
outgoing
traffic then added a dynamic rule for the data channel back in...
I heard about the punch_fw option and that sounds great. But I want it
for more than just FTP and IRC DCC.
Is it possible to set up a rule that works a little like this:
internal host A connects to external host B
ipfw or natd then makes a dynamic rule that allows any traffic (or
traffic from specific ports) from host B back into the network.
After 5 minutes of inactivity, the rule is discarded.
Taking it one step further, I could even define different rules for
different situations.
FTP: watch outgoing some.host:21 and allow incomming some.host:20
mypc.home:1024 <> mypc.home:65535 until the activity finishes.
Quake: watch outgoing some.host:25970 and allow incomming
mypc.home:25000 <> mypc.home:29000 until the activity finishes.
ICQ (for file transfers): Watch outgoing some.host:X and allow incomming
mypc.home:Y <> mypc.home:Z until the activity finishes.
I know this is a little more overhead, but for my little home network I
would like the idea of being able to add this type of customized
filtering.
Can it be done?
-----------------------------------------------------------------=0A=
ATTENTION:=0A=
The information in this electronic mail message is private and=0A=
confidential, and only intended for the addressee. Should you=0A=
receive this message by mistake, you are hereby notified that=0A=
any disclosure, reproduction, distribution or use of this=0A=
message is strictly prohibited. Please inform the sender by=0A=
reply transmission and delete the message without copying or=0A=
opening it.=0A=
=0A=
Messages and attachments are scanned for all viruses known.=0A=
If this message contains password-protected attachments, the=0A=
files have NOT been scanned for viruses by the ING mail domain.=0A=
Always scan attachments before opening them.=0A=
-----------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98829DC07ECECD47893074C4D525EFC31176AD>