Dimitry Sibiryakov wrote:

> I am also not an expert in firewalls. You should go to specialized
> forum and ask if it is possible:
> 1) Forward connection to any port from host in white list.

Yes. Easily doable.

> 2) Add source host to white list on connect to port 3050.

That looks like a huge potential security hole to me. All the hacker
needs to do is to connect on port 3050 and gets access to all ports on
server?

I can easily do:

telnet your_ip 3050

and after that the firewall is down for me. No firewall I've seen is
smart enough to be able to understand Firebird's protocol and check
whether authentication failed.

A much better idea would be to set up some ON CONNECT trigger to alert
the system to kick in the firewall rule (and maybe even ON DISCONNECT to
kill it). You could have ON CONNECT/ON DISCONNECT triggers writing that
info to some table and a small separate application running in
background on the server and checking it. You can even post events from
those triggers to the application so that firewall rules get applied
instantly.

> 3) Remove the host from white list after disconnect.

Yes. Also easily doable.

>> I've read a paper on Firebird and events which said that Classic + Events +
>> Firewall over the Internet is not doable, but again, I might have misread it
>> or the paper might have been wrong...
>
> May be the author of the paper didn't have enough fantasy to imagine
> the way...

Obviously. Looks like he'll need to update it ;)

Regards,

--
Milan Babuskov
http://www.flamerobin.org
http://www.guacosoft.com