Date: Wed, 27 Feb 2002 13:16:08 -0500 (EST) From: Ralph Huntington <rjh@mohawk.net> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: Bart Matthaei <bart@dreamflow.nl>, <sumirati@yahoo.de>, <security@FreeBSD.ORG> Subject: Re: best firewall option for FreeBSD Message-ID: <20020227130641.Y62593-100000@mohegan.mohawk.net> In-Reply-To: <20020227171535.5a55cee3.kzaraska@student.uci.agh.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I know that linux has a fix for this issue. There's FTP > > masquerading support in the kernel. BSD hasn't got such a thing as far > > as i know. > > This can be done with IPFilter (ipf) using ipnat. I have a working > firewall with that :) So do I. This works fine with ipf. In fact, here it is. (Change de0 to match your public interface and, of course, change the ip addresses to suit your situation. These are fake addresses. You may also wish to be more restrictive; this is merely a working example.) from /etc/ipf.rules right after the first two in and out rules: # Allow traffic originating from inside to receive replies # pass out quick proto tcp/udp from any to any keep state pass in quick on de0 proto tcp from any port = ftp-data to any # and all three lines of /etc/ipnat.rules: map de0 10.0.0.0/8 -> 12.34.56.78/32 map de0 10.0.0.0/8 -> 12.34.56.78/32 proxy port 21 ftp/tcp map de0 10.0.0.0/8 -> 12.34.56.78/32 portmap tcp/udp 1025:65000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020227130641.Y62593-100000>