[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: enhaced firewall fetures



On 1998-03-03 at 00:25:04, Glynn Clements wrote:
> Erez Doron wrote:
> > the idea is: the ability to add a firewall rull, that will watch the
> > outgoing-packet's port, and for some time allow connections to that
> > ports for outside.
> > 
> > for tcp it is not nedded because ipfwadm -k causes the same results
> > ( though not in the same way)
> > 
> > but it is good for udp, this will let one to accept only udp
> > connections that were initiated from inside
> 
> It doesn't necessarily require implementation within the kernel. One
> option would be to enable logging (ipfwadm ... -o) of outbound UDP
> packets, and have a process which monitors the output and manipulates
> the firewall rules appropriately.

Another "solution", albeit a bit different, to set the
(/proc/sys/net/ipv4/) ip_local_port_range to something like 8192-16383.
This makes any "normal" applications, be it TCP or UDP, to use port
numbers from the above range as local ports.  If you can then make sure
that no server is run in that range, you could allow (at least UDP)
packets IN to those ports.  I could imagine more sanity checks, but it
works surprisingly well.  The only drawback is that (AFAIR) it needs a
2.1 kernel.

-- 
Janos - Don't worry, my address is real.  I'm just bored of spam.