Date: Wed, 30 Dec 1998 19:26:45 -0800 From: Dean <dean@thegrid.net> To: Scott Ullrich <sullrich@in-net.net>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and ftp Message-ID: <368AEEF5.B48E42D6@thegrid.net> References: <47C8D349258FD211B59B00A0C95531F31360@newman.cre8.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Scott Ullrich wrote:
> FTP's work transparently through the firewall without any problems. The
> problem is incoming FTP, especially when you want to publish to an
> inside machine. If you are only worried about ftping from your network
> then you should not have any problems.
I don't think that this is the case. FTP requires two data connections.
Let's suppose that I'm on the inside of a packet filtering gateway and
want to make an outgoing ftp connection to somehost.com. My client
would initiate a tcp connection to port 21 on somehost and give the ftp
server a random non-privileged port. The somehost would then
INITIATE a tcp connection from port 20 to that random port on my
internal machine. If I want to run a strict filtering gateway, then this
connection should be denied and the ftp would fail. There is a passive
mode where the client instructs the server to pick a port and then the
client will initiate the outgoing connection. Unfortunately, not all
clients support the pasv command and not all servers understand it.
I will probably run some form of proxy server on the gateway machine.
Dean
>
> As far as DNS is concerned, I run 2 dns boxes. The FIREWALL box is my
> outside DNS and a 386 is being used for inside queries.
>
> I have all of the client machines resolving to the inside DNS server
> which in turn forwards to the outside box if it cannot come up with the
> answer. This setup has worked flawlessly for 2 years and I highly
> recommend it. If you have any questions, I can be reached at
> sullrich@in-net.net.
>
> Take care and happy BSD'n!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?368AEEF5.B48E42D6>