amsn

Erik Norgaard norgaard at locolomo.org
Thu Jan 27 08:05:25 PST 2005


dick hoogendijk wrote:
> Amsn states it needs port 1863 for chats and port 6891 for
> filetransfers.
> 
> Using ipf and being quit new to it), does that mean I do this both ways
> (in/out) like:
> 
> ## outgoing
> 
> # Allow out msn messenger chatting and filetransfers
> pass out quick on rl0 proto tcp from any to any port = 1863 flags S keep
> state
> pass out quick on rl0 proto tcp from any to any port = 6891 flags S keep
> state
> 
> ## incoming
> # Allow in msn messenger chatting and filetransfers
> pass in quick on rl0 proto tcp from any to any port = 1863 flags S keep
> state
> pass in quick on rl0 proto tcp from any to any port = 6891 flags S keep
> state
> 
> Or get I drop the incoming rules?

Yes, you have keep state, and anyway the in-rules should be "from any 
port = xxxx to any" if they were needed. And now, you see how that would 
open your host for attacks.

> ps: I like to test it, but don't know how to RESET ipf after making some
> changes to the rules. I do know how to restart ipnat (-CF -f filename),
> but what's the solution for ipf ??

I recommend using the feature of reading your ruleset into the passive 
table first, you can check that your rules parses, and you don't 
accidentally open your host (this feature is lacking on pf, I was flamed 
when requesting it).

# flush inactive rules (if any)
ipf -IFi && ipf -IFo
# read new rules into inactive table
ipf -I -f <rules>
# swap rules
ipf -s
# cleanup: flush inactive rules (if any)
ipf -IFi && ipf -IFo

Instead of just swapping rules in, you might want to play it safe with

   ipf -s && sleep 60 && ipf -s

Cheers, Erik
-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2


More information about the freebsd-questions mailing list