On Sun, Oct 06, 2002 at 06:29:17PM +0200, Daniel Hartmeier wrote:
> Could you post a small rule set example that shows the feature? And
> maybe some examples of how a userland tool would use it, and where it's
> useful? I'm not entirely sure yet where I'd want to use the chains. :)
>
Think of a chain rule as a template, refined by an application proxy:
A rule like:
chain return-rst in on $ext_if proto tcp from any to any port > 49151 \
user proxy keep state label proxy1
can be refined by the proxy application to accept connections only
from the client address at a specific port.
The proxy only needs to be passed the label 'proxy1' to refine the rule.
The following fragment restricts the port and defines expiry time but
leaves the src, dst and dport the same as defined in the original chain rule.
struct pfioc_chain c;
c.chain.src.addr32[0]=htonl(0);
c.chain.dst.addr32[0]=htonl(0);
c.chain.sport=htons(0);
c.chain.dport=htons(port);
c.chain.expire=expire;
strncpy(c.label, label, PF_RULE_LABEL_SIZE);
ioctl(fd, DIOCCHAINRULE, &c);
you can use the included test application (which contains almost the same
code fragment) to create holes in a rule such as:
chain return-rst in on lo0 proto tcp from any to any port 40000 >< 50000
keep state label proxy1
using test proxy1 40666 30 which creates a hole to port 40666 for 30 secs.
for one connection only.
As an example real-life example I can think of (samba) nmbd and net bios
name resolution broadcasts where keeping state does not work but a
small patch to nmbd would ;)
While the 'user proxy' restriction is possibly enough for ftp-proxy
and further limiting remote address and port may not be necessary,
the ftp-proxy needs a rdr (for full EPASV functionality) which can be
implemented within the same framework:
rdr chain on $ext_if from any to any label proxy2
in this case the application proxy can restrict src/dest ports and
specify the redirected host and port.
I have not worked out the exact syntax for using rdr with chain,
however the redirected ports/hosts should also be restricted:
rdr chain on $ext_if from any to any portspec -> $int_net portspec label proxy3
where portspec further restricts the port values specified by the chain rule.
Can
