[RndTbl] Connection tracking in ipfilter (Solaris) or ipfw (Mac OS X)?
Gilbert E. Detillieux
gedetil at cs.umanitoba.ca
Tue Jan 20 12:01:27 CST 2009
I asked about this at the meeting last week, but nobody present was
familiar with ipfilter, so I thought I'd ask here in hopes of finding a
Solaris and/or Mac guru familiar with firewall configuration on these
platforms...
I've been using the Linux kernel's Netfilter/iptables configuration for
some time now, to handle firewalling for each of our Internet-connected
Linux hosts, and I'd like to do the same for our Solaris and Mac OS X
hosts as well. I've found some reasonable tutorials and FAQ's online to
help with the basic setup, but I'm stuck with a few issues surrounding
connection tracking.
With iptables, you can load kernel modules to do connection tracking
that is application-layer-specific. I use 3 such modules:
- ip_conntrack_amanda, to handle Amanda backup requests
- ip_conntrack_ftp, to support FTP server data connections
- ip_conntrack_netbios_ns, to support NetBIOS name services
(e.g. in Samba)
I haven't found an equivalent mechanism in either ipfilter or ipfw to
allow for this, and their state-table mechanisms aren't powerful enough.
For example, for NetBIOS name services, the request goes out as a
broadcast, but replies come back directly, so they don't match the state
of the requests. (I can work around this by allowing all NMB replies
from the local net, but this is uglier.)
Amanda backup support is even trickier, for two reasons: First of all,
replies to requests can come back much later, after the state table
entries will have expired (whereas with ip_conntrack_amanda, you can set
a longer delay if needed), and secondly, there will be related,
follow-up connections on other ports, which need to be tracked. (Again,
I can work around this by allowing replies from the amanda port for
hosts on the local net, using a separate rule, as well as opening up
entire ranges of other ports for the local net. Again, this is uglier.)
Supporting an FTP server is even more problematic, particularly if I
want to open it up to connections from outside of the local net, without
opening up an entire port range to the outside world as well.
Any suggestions for clean, secure ways to implement firewall support for
these services using ipfilter or ipfw?
--
Gilbert E. Detillieux E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group Web: http://www.muug.mb.ca/
PO Box 130 St-Boniface Phone: (204)474-8161
Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609
More information about the Roundtable
mailing list