really 2 patches:
1) added numbering of ipchain rules in a) syslog-output (for packets
dumped by '-l'-rules, so that it is immediately visible which rule logged
the packet) and b) for "ipchains -L", so that the number in a) can be
found easily. The attached patch.ipchains.gz is for this thing only, the
other attached file contains code for both patches.
2) dynamic FTP-data connection rules. (attached file patch.ipchains.gz NOT
necessary for this!!! I repeat it!)
It is now possible to block _everything_ except for connections to port
21@ftp-server, the necessary data-connections are allowed through 'on
demand', i.e. the code scans for the ftp PORT-command and creates a
dynamic rule that allows the data connection in. This rule times out like
masquerading rules.
How: create a chain 'ftp-data' with command 'ipchains -N ftp-data'. You
cannot create/delete/replace rules in this chain, but you enable the above
patch. If this chain doesn't exist - no dynamic rules. 'ipchains -F|-Z'
will work on this chain, however. That's it. Now test it: block everything
except for destination port 21. Start an ftp session and watch 'ipchains
-L', how a new rule in chain ftp-data automagically appears when you issue
an ftp command that needs a data connection. The timeout values are
built-in, I choose 42 seconds for 2FINs seen and 180 seconds during the
connection.
It's the work of two days. The code is not as ugly as I feared. The patch
looks bigger than it really is because I moved a big function
(ip_fw_check) around.
Packets are tested against ftp-data rules before all others. Tested are
only: src/dst IP and port and protocol. Those 5 values describe exactly
one connection, always and everywhere, and we already know we want to let
it through.
The comming netfilter code will be the clean solution, I hope, but I
need it NOW, so I wrote it.
--
SuSE Linux
Michael Hasenstein
http://www.csn.tu-chemnitz.de/~mha/
Private Pilot (ASEL) since 1998
patch.ipchains.gz
patch.ftp-data.gz
