Date: Thu, 22 Mar 2001 05:11:16 -0500 From: Daniel Hagan <dhagan@colltech.com> To: "Patrick O'Reilly" <patrick@mip.co.za> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: freebsd 4.2 ipfw natd Message-ID: <3AB9CFC4.11018F6E@colltech.com> References: <NDBBIMKICMDGDMNOOCAIMEOPCEAA.patrick@mip.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick O'Reilly wrote:
> ------------------
> # FTP - Allow access from our LAN to External FTP servers
> ${fwcmd} add pass tcp from any to any 21 setup
> ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
This would make the firewall transparent to ftp sessions in _both_
directions, not just from your lan out.
> # FTP - Allow access from the net to our FTP server
> ${fwcmd} add pass tcp from any to x.x.x.x 21 setup
> ${fwcmd} add pass tcp from x.x.x.x 20 to any 1024-65535 setup
FTP is a crappy protocol to packet filter. I'm not familiar with the
issues involved, but I believe proxy servers located in a DMZ (or
integrated into the firewall) are a much better solution than packet
filters.
Sorry I can't give you a more detailed explanation.
Daniel
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB9CFC4.11018F6E>