Date: Mon, 17 Jun 2002 09:19:20 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "Alexander V Zubchenko" <stalker@hermes-comp.zp.ua> Cc: "FBSDQ" <questions@FreeBSD.ORG> Subject: RE: How to use natd -punch_fw Message-ID: <MIEPLLIBMLEEABPDBIEGKEPECCAA.barbish@a1poweruser.com> In-Reply-To: <20020617085417.S9334-100000@server.hermes-comp.zp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you Alexander for this information about the basenumber
and count values for the -punch_fw natd command. I understand
the basenumber is the statement number in the ipfw rules file
where -punch_fw function will insert it's dynamically created
rules, and the count value being the max number of dynamically
rules which are allowed to be created.
Why such a large value (200) for the count?
I can code 2 keep-state rules to allow FTP in & out.
What is this function doing that it needs 200 rules?
What kind of dynamic ipfw rules is -punch_fw creating and
inserting into the ipfw rules table on the fly?
(stateless, setup/establisted, keep-state/check-state)
The man doc says -punch_fw will dynamic create ipfw rules for
FTP/IRC/DCC connections. What if I only want -punch_fw for
FTP outbound to public internet, I don't see how to just get
this variation.
Using -punch_fw will allow setup requests for outbound and
inbound packets for all 3 connections FTP/IRC/DCC, this sure
seems like a very big security hole.
Without the means to specify which connection type to allow and
the direction of the connection to allow, this natd option is
useless and a security risk.
This -punch_fw function should really be an option on the ipfw
rules statement so selection control can be achieved instead
of an NATD option.
-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Alexander V
Zubchenko
Sent: Monday, June 17, 2002 1:59 AM
To: Joe & Fhe Barbish
Cc: FBSDQ
Subject: Re: How to use natd -punch_fw
Greetings!
On Sat, 15 Jun 2002, Joe & Fhe Barbish wrote:
> -punch_fw basenumber:count
> This option directs natd to ``punch holes'' in an
> ipfirewall(4) based firewall for FTP/IRC DCC connections.
> This is done dynamically by installing temporary firewall
> rules which allow a particular connection (and only that
con
> nection) to go through the firewall. The rules are removed
> once the corresponding connection terminates.
So this is clear. This part explain what it supposed to do.
>
> A maximum of count rules starting from the rule number
> basenumber will be used for punching firewall holes. The
> range will be cleared for all rules on startup.
This mean that real numbers depend on your firewall settings.
Basenumber is number of first created rule. Count is maximum number of
inserted rules. Look at Your firewall configuration, where You want to
add this rules. E.g.:
100 check-state
500 deny log....
65000 allow...
And You want rules, created by the natd b inserted after check-state
('rule 100'). So use -punch_fw 101:300 (for example), or even better
200:200 (enough, imho, and left space for playing around with firewall
setup by hands).
This is information, i have. Hope, this help.
Alexander V Zubchenko, E-Mail: stalker@hermes-comp.zp.ua
System Administrator, WWW: http://www.hermes-comp.zp.ua/
Hermes-comp,
Ukraine,
Zaporizhzhya,
Geroev Stalingrada 50
phone/fax: +380 612 64-19-72
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEPECCAA.barbish>