Subject: Re: Packet filtering in net
From: Stefan Bethke (stefan@Promo.DE)
Date: Fri Jun 28 1996 - 14:19:26 EDT
>> Is there a possibilty to make netatalk do a kind of restrictive routing?
>Depends on your OS. For Ultrix and SunOS 4, there's a flag in
>sys/netatalk/ddp_input.c called ddp_firewall. The default value is 0.
>If you set it to something else, it causes the kernel to not permit
>packets to cross interfaces on the netatalk router. Linux and Solaris
>don't have this flag, but it's pretty easy to add.
What I didn't explain in my last message: there are two things an AT firewall should to: make sure that only allowed packets are actually forwarded (possibly none in the configuration in question), and filtering all network information protocols (ZIP, RTMP, NPB) to make sure only services actually avalible are announced to "the other side". Shutting of packet forwarding completly is secure, but as atalkd still will do NBP lookups on both sides, and ZIP will provide zones unreachable, the chooser will be cluttered with unneccessary info.
Also, if you want to have a real firewall, you'd better make sure no info about the hidden network and services is availible anyway.
Another solution to provide single, well defined services to hostile networks: a proxy/tunnel which "exports" a service through some other protocol (hence tunnel) to a remote AT network.
Stefan
-- Promo Datentechnik | Tel. 040/431360-0 + Systemberatung GmbH | Fax. 040/431360-60 Waterloohain 6-8 | e-mail: stefan@Promo.DE D-22769 Hamburg | http://www.Promo.DE/
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:24:07 EST