Amsn states it needs port 1863 for chats and port 6891 for filetransfers.
Using ipf and being quit new to it), does that mean I do this both ways (in/out) like:
## outgoing
# Allow out msn messenger chatting and filetransfers pass out quick on rl0 proto tcp from any to any port = 1863 flags S keep state pass out quick on rl0 proto tcp from any to any port = 6891 flags S keep state
## incoming # Allow in msn messenger chatting and filetransfers pass in quick on rl0 proto tcp from any to any port = 1863 flags S keep state pass in quick on rl0 proto tcp from any to any port = 6891 flags S keep state
Or get I drop the incoming rules?
Yes, you have keep state, and anyway the in-rules should be "from any port = xxxx to any" if they were needed. And now, you see how that would open your host for attacks.
ps: I like to test it, but don't know how to RESET ipf after making some changes to the rules. I do know how to restart ipnat (-CF -f filename), but what's the solution for ipf ??
I recommend using the feature of reading your ruleset into the passive table first, you can check that your rules parses, and you don't accidentally open your host (this feature is lacking on pf, I was flamed when requesting it).
# flush inactive rules (if any) ipf -IFi && ipf -IFo # read new rules into inactive table ipf -I -f <rules> # swap rules ipf -s # cleanup: flush inactive rules (if any) ipf -IFi && ipf -IFo
Instead of just swapping rules in, you might want to play it safe with
ipf -s && sleep 60 && ipf -s
Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
