On Sat, Aug 10, 2002 at 09:37:15AM -0700, Chris Willis wrote: > I would like to create a filter that allows 4900&4901 inbound to the > machine that already has tcp 5000 open. If tcp 5000 isn't open, then I > do not want the UDP ports to be open inbound.
Short answer: you can't. I know this is possible with Linux' netfilter, but I don't think it's a feature that can be used securely. If you think about it, how does the existing TCP connection authenticate the peer in any way that makes you trust him more than the rest of the world? Anyone could establish that TCP connection first and get access to the other ports. If you're not allowing the whole world to establish the TCP connection (by blocking on peer address), you could use the same restrictions for the other ports. Ok, someone spoofing the source address couldn't complete a TCP handshake, so the established TCP connection excludes that. But a source spoofer could just as well pick an address that is likely to have a TCP connection already established with you and use that to send UDP packets. There is a way to open ports after peers have truely authenticated themselves: authpf(8). Logging in via ssh might seem overly complicated, but what you get in exchange is a real authentication, as compared to security by obscurity that the 'related' (or whatever it's called in netfilter) feature offers. Daniel
