Date: Wed, 27 Feb 2002 14:48:06 +0100 From: Bart Matthaei <bart@dreamflow.nl> To: m p <sumirati@yahoo.de> Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <20020227144806.W62131@heresy.dreamflow.nl> In-Reply-To: <20020227132846.28405.qmail@web13305.mail.yahoo.com>; from sumirati@yahoo.de on Wed, Feb 27, 2002 at 02:28:46PM %2B0100 References: <20020227132846.28405.qmail@web13305.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--NqSa+Xr3J/G6Hhls Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote: > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you mea= nt > with outlook)) you can choose both. But ftp is a braindead (from a firewa= ller > sight) protocol. You can not simple make a rule "allow tcp from internal > network to external ftp-server" - because it will use more than one port. Agreed. I know that linux has a fix for this issue. There's FTP masquerading support in the kernel. BSD hasn't got such a thing as far as i know. You can try to direct all the ftp traffic to natd, or ipnat. (ipfw divert natd tcp from any to any 21).=20 No idea if this will actually work. > So you should use ipfilter which "inspects" the pakets flowing through to= get > the new ftp port which have to be open - or use a ftp-proxy (there are so= me in > the ports, look for one fitting your purpose). Agreed. No comments on your other advice ;) Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Kiss me twice. I'm schizophrenic. --NqSa+Xr3J/G6Hhls Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8fOOWgcc6pR+tCegRAl6EAJ4mo9FS2iqZQNNOf0sqcRgxHLbA9gCaAuRr Aba/uq8ZL5iyNcSzDSHM9/M= =Y6lo -----END PGP SIGNATURE----- --NqSa+Xr3J/G6Hhls-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020227144806.W62131>