From owner-freebsd-questions@FreeBSD.ORG  Wed Mar 22 15:26:27 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E97EE16A400
	for <freebsd-questions@freebsd.org>;
	Wed, 22 Mar 2006 15:26:27 +0000 (UTC) (envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 87D9043D69
	for <freebsd-questions@freebsd.org>;
	Wed, 22 Mar 2006 15:26:27 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id BF1B25F07;
	Wed, 22 Mar 2006 10:26:26 -0500 (EST)
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 40466-06; Wed, 22 Mar 2006 10:26:26 -0500 (EST)
Received: from [192.168.1.3] (pool-68-160-194-11.ny325.east.verizon.net
	[68.160.194.11])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pi.codefab.com (Postfix) with ESMTP id F411D5F1A;
	Wed, 22 Mar 2006 10:26:25 -0500 (EST)
Message-ID: <44216CAA.3060609@mac.com>
Date: Wed, 22 Mar 2006 10:26:34 -0500
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: fbsd_user@a1poweruser.com
References: <MIEPLLIBMLEEABPDBIEGGENPHCAA.fbsd_user@a1poweruser.com>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGGENPHCAA.fbsd_user@a1poweruser.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at codefab.com
Cc: freebsd-questions@freebsd.org
Subject: Re: Google Talk and NAT issue ?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2006 15:26:28 -0000

fbsd_user wrote:
> Just what do you mean by punching a hole in the
> firewall without the firewalls knowledge?
> 
> The firewall is designed to stop just such a thing.

If the firewall opens a path for the external server inbound as a result of
supporting active-mode FTP or the data channel for IRC, which most firewalls do
by default if they permit FTP through in the first place, that can be used to
send arbitrary data back to the client.

Having the firewall block FTP, HTTP, and IRC/6667 traffic from inside machines,
except for a trusted and monitored proxy server like Squid, will significantly
improve the security of the network...

-- 
-Chuck