Date: Sun, 27 Jun 1999 13:07:05 +0200 From: Harold Gutch <logix@foobar.franken.de> To: Mark Newton <newton@atdot.dotat.org>, Michael Maxwell <drwho@xnet.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewalling problem. Message-ID: <19990627130705.A11859@foobar.franken.de> In-Reply-To: <199906270218.LAA42821@atdot.dotat.org>; from Mark Newton on Sun, Jun 27, 1999 at 11:48:51AM %2B0930 References: <19990626210402.B1580@atlas.topquark.org> <199906270218.LAA42821@atdot.dotat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 27, 1999 at 11:48:51AM +0930, Mark Newton wrote: > Michael Maxwell wrote: > > > Problem: > > I cannot allow my local net machines to talk outside to the net and still > > have a useful firewall at the same time. The rule that allows the local > > hosts to talk outside completely defeats the purpose of having any OTHER > > rules in the first place (ipfw allow ip from any to any). I have tried > > restricting the first "any" to <mynet>:<mymask>, but this also does not > > work. > > Read up the manpage for the "established" keyword. > I may be wrong, but IIRC, the actual talk-connection is established between to arbitrary TCP-ports - port 518 is only used for the first "handshake", when checking wether the remote user is logged in, telling them the local port to connect to etc. AFAIK there is no way to allow talk without opening everything... > More generally, run out and buy a copy of "Building Internet Firewalls" > by Bellovin and Cheswick. > ... which (if I'm not mistaken) they say aswell (I again may be wrong, it's been a while since I had a *short* look at this book). bye, Harold -- <Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990627130705.A11859>