[ previous ] [ next ] [ threads ]
 From:  Joey Morin <jmorin at icomm dot ca>
 To:  Andrew Eglington <aeglington at hotmail dot com>
 Cc:  mk at neon1 dot net, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] port forwarding and SUGGESTION
 Date:  Sat, 26 Jun 2004 04:33:16 -0400 (EDT)
This one time, at band camp, Andrew Eglington said:

> What would be very useful would be an option in NAT/Firewall Rule setup
> to detect if anything is currently requesting a port/NAT and options to
> wizard/add a NAT/rule for it on that particular port/range, etc etc.
> Effectively making NAT/firewall rule setup a matter of probing the
> required function from outside, and being able to detect those probes
> from inside and make rules to allow access.
> That way if you know ssh on port X from blah.net knocks on the door of
> your WAN calling itself TheNameOfTheThingIWantToWorkNow on port X, you
> can more easily click a button labelled "Yeah. guide me through rules to
> connect that one"

kerio personal firewall does this under windoze.  sort of.  it's
configured by default to ask the user any time any port of any kind is
opened, inbound or outbound.  you are then asked to premit, deny, and/or
create a rule.  quite nice, actuallly.  makes it very easy to lock down a
machine.  i user the first alert the appears to create an advanced rule
that permits all outbound traffic, and another that permits only inbound
ssh (plus a couple of other msnetworking specific rules, which are
actaully treated as special built-in functions of KPF).

> <thinking aloud>
> Making a NAT can auto add a matching rule, and setup detects plugged in
> WAN or LAN cards... How much more code would be required? would
> auto-NAT/rule-addition compromise m0n0 security principles? would it
> compromise the intent of m0n0 design?
> </thinking aloud>

a courageous suggestion :)

such functionality would have to tie into the default deny machinery,
perhaps as easily as parsing the logs.  the tough part would be making it
work through a webgui, i think.  how does mini_httpd force a page load
when a packet is processed by the default deny rule?  my gut tells me that
it would be plenty ugly, if not impossible, to implement in php, and that
i think is a step away from the spirit of m0n0...

... but there's always room for modules :-)