From owner-freebsd-ipfw Thu Mar 22 2:32:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 397B237B719 for ; Thu, 22 Mar 2001 02:32:33 -0800 (PST) (envelope-from patrick@mip.co.za) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id MAA30980; Thu, 22 Mar 2001 12:32:18 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "Daniel Hagan" Cc: Subject: RE: freebsd 4.2 ipfw natd Date: Thu, 22 Mar 2001 12:32:17 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3AB9CFC4.11018F6E@colltech.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Oooops! I was not paying attention, was I? The first example does allow FTP both ways! A better example would be: -------------- # FTP - Allow access from our LAN to External FTP servers ${fwcmd} add pass tcp from z.z.z.z/24 to any 21 setup ${fwcmd} add pass tcp from any 20 to z.z.z.z/24 1024-65535 setup -------------- where z.z.z.z/24 is your LAN's network IP and Netmask. (The z.z.z.z also suitably representing my prior state of mind :) Daniel's points re FTP and security are entirely valid too. FTP is known to be somewhat flaky on the security front. A Proxy would be best (I have not done that before), else make sure the FTP server is dedicated to that task and isolated from the rest of your network so that if it is cracked the damage is contained. Personally, we use a dedicated FTP server in our DMZ to achieve this goal (Isolated from the LAN, and contained to the server if it gets cracked). Thanks for the wake-up call Daniel :) Patrick. -----Original Message----- From: Daniel Hagan [mailto:dhagan@colltech.com] Sent: 22 March 2001 12:11 To: Patrick O'Reilly Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: freebsd 4.2 ipfw natd Patrick O'Reilly wrote: > ------------------ > # FTP - Allow access from our LAN to External FTP servers > ${fwcmd} add pass tcp from any to any 21 setup > ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup This would make the firewall transparent to ftp sessions in _both_ directions, not just from your lan out. > # FTP - Allow access from the net to our FTP server > ${fwcmd} add pass tcp from any to x.x.x.x 21 setup > ${fwcmd} add pass tcp from x.x.x.x 20 to any 1024-65535 setup FTP is a crappy protocol to packet filter. I'm not familiar with the issues involved, but I believe proxy servers located in a DMZ (or integrated into the firewall) are a much better solution than packet filters. Sorry I can't give you a more detailed explanation. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message