From 15462ff9cb200b6a646de7f40ab7854f7ee54ff6 Mon Sep 17 00:00:00 2001 From: ru Date: Tue, 27 Jun 2000 15:26:24 +0000 Subject: Added new option (-punch_fw) which allows to `punch holes' in the ipfirewall(4) for incoming FTP/IRC DCC connections. Submitted by: Rene de Vries Rewritten by: ru --- sbin/natd/natd.8 | 20 ++++++++++++++++++++ sbin/natd/natd.c | 29 +++++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 2 deletions(-) (limited to 'sbin/natd') diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8 index a0d56e5..60cf31c 100644 --- a/sbin/natd/natd.8 +++ b/sbin/natd/natd.8 @@ -29,6 +29,7 @@ .Op Fl config | f Ar configfile .Op Fl log_denied .Op Fl log_facility Ar facility_name +.Op Fl punch_fw Ar firewall_range .Sh DESCRIPTION This program provides a Network Address Translation facility for use with @@ -412,6 +413,25 @@ Use to put this information into the IP option field or .Ar encode_tcp_stream to inject the data into the beginning of the TCP stream. +.It Fl punch_fw Xo +.Ar basenumber Ns : Ns Ar count +.Xc +This option makes +.Nm +.Ql punch holes +in an +.Xr ipfirewall 4 +based firewall for FTP/IRC DCC connections. +The holes punched are bound by from/to IP address and port; it +will not be possible to use a hole for another connection. +A hole is removed when the connection that uses it dies. +.Pp +Arguments +.Ar basenumber +and +.Ar count +set the firewall range allocated for punching firewall holes. +The range will be cleared for all rules on startup. .El .Sh RUNNING NATD The following steps are necessary before attempting to run diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c index 2f45af5..a4845d8 100644 --- a/sbin/natd/natd.c +++ b/sbin/natd/natd.c @@ -98,6 +98,7 @@ static int StrToProto (const char* str); static int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange); static void ParseArgs (int argc, char** argv); static void FlushPacketBuffer (int fd); +static void SetupPunchFW(const char *strValue); /* * Globals. @@ -868,7 +869,8 @@ enum Option { DynamicMode, ProxyRule, LogDenied, - LogFacility + LogFacility, + PunchFW }; enum Param { @@ -1078,8 +1080,15 @@ static struct OptionInfo optionTable[] = { "facility", "name of syslog facility to use for logging", "log_facility", - NULL } + NULL }, + { PunchFW, + 0, + String, + "basenumber:count", + "punch holes in the firewall for incoming FTP/IRC DCC connections", + "punch_fw", + NULL } }; static void ParseOption (const char* option, const char* parms) @@ -1259,6 +1268,10 @@ static void ParseOption (const char* option, const char* parms) errx(1, "Unknown log facility name: %s", strValue); break; + + case PunchFW: + SetupPunchFW(strValue); + break; } } @@ -1687,3 +1700,15 @@ int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, p StrToAddr (str, addr); return StrToPortRange (ptr, proto, portRange); } + +static void +SetupPunchFW(const char *strValue) +{ + unsigned int base, num; + + if (sscanf(strValue, "%u:%u", &base, &num) != 2) + errx(1, "punch_fw: basenumber:count parameter required"); + + PacketAliasSetFWBase(base, num); + (void)PacketAliasSetMode(PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW); +} -- cgit v1.1