UDP Packets through an ipfwadm firewall...

UDP Packets through an ipfwadm firewall...

Post by Malwar » Sun, 28 Feb 1999 04:00:00



Hi Jerry,


> We're running a Linux firewall with non-routable numbers on our local network,
> including the dialup server.  Some of our game-players and IRC people who want
> to trade pictures using 'dcc' format, can't do it.  It seems that we aren't
> routing UDP packets.  Evidently they can receive, but can't send.  Help me. oh
> thou gurus...

'dcc' is not a picture format but stands IMO for 'direct client connect'
and is used by IRC clients to establish a direct connection beetween two
parties bypassing the IRC server. Load the module 'ip_masq_irc'. You may
have to enable tcp-connects on some ports - I don't know which used by
this module - in the 61000-65095 range of the firewall itself.

Malware

 
 
 

UDP Packets through an ipfwadm firewall...

Post by Tobias Reckhard (jest » Sun, 28 Feb 1999 04:00:00



>We're running a Linux firewall with non-routable numbers on our local network,
>including the dialup server.  Some of our game-players and IRC people who want
>to trade pictures using 'dcc' format, can't do it.  It seems that we aren't
>routing UDP packets.  Evidently they can receive, but can't send.  Help me. oh
>thou gurus...

IRC is extremely yucky, according to Chapman & Zwicky, authors of
"Building Internet Firewalls" by O'Reilly & Associates, because of
problems in the clients, which supposedly grant the servers generous
access to local resources like files, processes and programs. If you
really want to allow people to use it, they recommend you setup an
untrusted 'victim' machine that they need to log in to and perform IRC
from there. 'Normal' IRC can be treated with packet filtering just
like any other client-server protocol, the clients use TCP ports above
1023 while the server listens on port 6667. DCC makes life harder,
though, because it opeates on random user-area (i.e. >1023) TCP ports,
with the client the data is being transferred from opening the
connection. This is ok when your people are DCCing out stuff, because
you can filter incoming traffic for the ACK bit, the appropriate rule
being identical with that for passive ftp-data, but if they want to
receive, the remote machines need to initiate a TCP connection to your
hosts from any high port. That is something you want to avoid. The
problem is, if you set up a dedicated machine, perhaps in a DMZ, for
IRC, you can't allow it to have access to the machines behind your
firewall, because you are allowing outside machines to initiate
connections. However, the only reason you want it out there is for
people to be able to DCC out. But if it's out there, they don't have
anything to DCC out..

So, in conclusion to an enormous and probably very confusing
paragraph, you can't allow them to use IRC and DCC out of your
firewall-protected network. They could send files as email
attachments, though, it's not much more work (they only need the other
person's email address).

HTH
Tobias