Date: Thu, 22 Mar 2001 12:32:17 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "Daniel Hagan" <dhagan@colltech.com> Cc: <freebsd-ipfw@FreeBSD.ORG> Subject: RE: freebsd 4.2 ipfw natd Message-ID: <NDBBIMKICMDGDMNOOCAIMEPDCEAA.patrick@mip.co.za> In-Reply-To: <3AB9CFC4.11018F6E@colltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Oooops! I was not paying attention, was I? The first example does allow FTP both ways! A better example would be: -------------- # FTP - Allow access from our LAN to External FTP servers ${fwcmd} add pass tcp from z.z.z.z/24 to any 21 setup ${fwcmd} add pass tcp from any 20 to z.z.z.z/24 1024-65535 setup -------------- where z.z.z.z/24 is your LAN's network IP and Netmask. (The z.z.z.z also suitably representing my prior state of mind :) Daniel's points re FTP and security are entirely valid too. FTP is known to be somewhat flaky on the security front. A Proxy would be best (I have not done that before), else make sure the FTP server is dedicated to that task and isolated from the rest of your network so that if it is cracked the damage is contained. Personally, we use a dedicated FTP server in our DMZ to achieve this goal (Isolated from the LAN, and contained to the server if it gets cracked). Thanks for the wake-up call Daniel :) Patrick. -----Original Message----- From: Daniel Hagan [mailto:dhagan@colltech.com] Sent: 22 March 2001 12:11 To: Patrick O'Reilly Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: freebsd 4.2 ipfw natd Patrick O'Reilly wrote: > ------------------ > # FTP - Allow access from our LAN to External FTP servers > ${fwcmd} add pass tcp from any to any 21 setup > ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup This would make the firewall transparent to ftp sessions in _both_ directions, not just from your lan out. > # FTP - Allow access from the net to our FTP server > ${fwcmd} add pass tcp from any to x.x.x.x 21 setup > ${fwcmd} add pass tcp from x.x.x.x 20 to any 1024-65535 setup FTP is a crappy protocol to packet filter. I'm not familiar with the issues involved, but I believe proxy servers located in a DMZ (or integrated into the firewall) are a much better solution than packet filters. Sorry I can't give you a more detailed explanation. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIMEPDCEAA.patrick>