Hi,
I'm trying to use the ip_rcmd_pxy (RCMD proxy) on Linux (Slackware 12.0).
however, the RCMD proxy, I can't get it to work (and the FTP proxy neither).
I'm not sure I'm doing this well, what I did was:
in ip_proxy.c around line 106, I moved
#include "netinet/ip_rcmd_pxy.c" below END OF INCLUDES.
Then I compiled this which seems to force inclusion of ip_rcmd_pxy.
How do I firewall RCMD now ? I don't really want to use NAT, just firewall.
I thought about using "NULL NAT".
in /etc/ipnat.conf
map eth0 0.0.0.0/0 -> 0.0.0.0/0 proxy port shell rcmd/tcp
Without IPFILTER, I can rsh just fine (with correct .rhosts) :
bash-3.1# rsh gecko ls
hardcopy.0
hardcopy.1
So that works from host asterix to gecko. Then I load the module:
[EMAIL PROTECTED]:/opt/ip_fil4.1.27-stes# modprobe ipfilter
[EMAIL PROTECTED]:/opt/ip_fil4.1.27-stes# ipnat -f /etc/ipnat.conf
[EMAIL PROTECTED]:/opt/ip_fil4.1.27-stes# ipnat -l
List of active MAP/Redirect filters:
map eth0 0.0.0.0/0 -> 0.0.0.0/0 proxy port shell rcmd/tcp
List of active sessions:
Next, I use the following IPF (and ipf -l)
# ipfstat -in
@1 pass in quick proto tcp from any to any port = ssh
@2 pass in quick proto tcp from any to any port = shell
@3 block return-rst in on eth0 all
The RCMD sessions are being blocked, the NAT rule doesn't seem to help.
2/01/2008 22:54:03.734095 2x eth0 @0:3 b 172.16.0.9,1021 -> 172.16.0.10,1022 PR
tcp len 20 60 -AS IN
02/01/2008 22:54:06.819626 eth0 @0:3 b 172.16.0.9,1022 -> 172.16.0.10,1023 PR
tcp len 20 40 -AR IN
02/01/2008 22:54:09.734750 2x eth0 @0:3 b 172.16.0.9,1021 -> 172.16.0.10,1022
PR tcp len 20 60 -AS IN
How should I write a rule that block all traffic, opens just SHELL,
and use the RCMD proxy to accept those 'associated' connections ?
Regards,
David Stes
