From owner-freebsd-security Wed Feb 27 10:16:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id CE6D337B402 for ; Wed, 27 Feb 2002 10:16:26 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g1RIG8h02875; Wed, 27 Feb 2002 13:16:08 -0500 (EST) Date: Wed, 27 Feb 2002 13:16:08 -0500 (EST) From: Ralph Huntington To: Krzysztof Zaraska Cc: Bart Matthaei , , Subject: Re: best firewall option for FreeBSD In-Reply-To: <20020227171535.5a55cee3.kzaraska@student.uci.agh.edu.pl> Message-ID: <20020227130641.Y62593-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I know that linux has a fix for this issue. There's FTP > > masquerading support in the kernel. BSD hasn't got such a thing as far > > as i know. > > This can be done with IPFilter (ipf) using ipnat. I have a working > firewall with that :) So do I. This works fine with ipf. In fact, here it is. (Change de0 to match your public interface and, of course, change the ip addresses to suit your situation. These are fake addresses. You may also wish to be more restrictive; this is merely a working example.) from /etc/ipf.rules right after the first two in and out rules: # Allow traffic originating from inside to receive replies # pass out quick proto tcp/udp from any to any keep state pass in quick on de0 proto tcp from any port = ftp-data to any # and all three lines of /etc/ipnat.rules: map de0 10.0.0.0/8 -> 12.34.56.78/32 map de0 10.0.0.0/8 -> 12.34.56.78/32 proxy port 21 ftp/tcp map de0 10.0.0.0/8 -> 12.34.56.78/32 portmap tcp/udp 1025:65000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message