Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Jan 1999 17:54:01 +0100 (MET)
From:      Martin Machacek <mm@i.cz>
To:        security@FreeBSD.ORG
Subject:   Re: examples rules ipfw
Message-ID:  <XFMail.990114175401.mm@i.cz>
In-Reply-To: <19990114153709.A88792@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 14-Jan-99 Eivind Eklund wrote:
> On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote:
> If you need another secure approach, look at libalias.
> 
> It contains my code for automatically creating tiny 'holes' in the
> firewall just allowing one specific connection through.
> 
> Unfortunately, there are not any clients in FreeBSD that use that as
> of today, but you should be able to build it into natd and ppp fairly
> easily (it is only two function calls to enable it; one to set the
> rule number range in the firewall rules to use for creating 'holes',
> and one to enable the flag).
> 
> I guess the code could be adapted to be usable in environments without
> NAT, but I haven't really looked into it.  I don't really approve of
> using pure packet filters for a firewall.

Do you think that this feature could be used to run rsh from net with
private IP addresses (RFC 1918) over NAT "firewall" (using natd) to machine
in front of the firewall with public IP address? Of course it would require natd
to be modified to utilize the PUNCH_FW feature. At present it is not possible to
use rsh over natd because there is no application specific processing for
rsh in libalias, so it does not allow the reverse channel carrying stderr data
through (at least if you have the deny_incoming feature of natd on -  which I
definitely want to have). I could eventualy do the necessary mod
to natd/libalias (using PUNCH_FW). On the other hand I'm afraid that I don't
have enough time to implement (and test) the full application specific
processing for rsh in libalias. If the PUNCH_FW feature of libalias could make
it easier, I may try it. I've briefly looked at it and it seems to be pretty
straight forward, but I'm not sure that it could be used for this purpose.

        Martin 

---
[PGP KeyID F3F409C4]]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990114175401.mm>