From owner-freebsd-security  Mon Nov 26  7:32: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from hotmail.com (law2-f68.hotmail.com [216.32.181.68])
	by hub.freebsd.org (Postfix) with ESMTP id 668DF37B416
	for <security@freebsd.org>; Mon, 26 Nov 2001 07:32:05 -0800 (PST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Mon, 26 Nov 2001 07:32:05 -0800
Received: from 213.84.199.53 by lw2fd.hotmail.msn.com with HTTP;
	Mon, 26 Nov 2001 15:32:05 GMT
X-Originating-IP: [213.84.199.53]
From: "Danny Carroll" <dannycarroll@hotmail.com>
To: security@freebsd.org
Subject: IPFW, natd and an internal FTP server.
Date: Mon, 26 Nov 2001 15:32:05 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <LAW2-F68hvpFaeZPHNu00019f0c@hotmail.com>
X-OriginalArrivalTime: 26 Nov 2001 15:32:05.0106 (UTC) FILETIME=[807B7520:01C1768F]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello,

I know this question has been covered before in many different ways, but I 
can't seem to find the solution I am looking for.

Here is my situation.

machine guard is the firewall / natd server on a dedicated internet line.
machine app is the web/ftp server let's say it runs win2k.  This machine is 
on an internal (192.168) network and the firewall's natd diverts web/ftp 
stuff almost brilliantly.

The firewall works fine for active FTP (server initiated data connections).

If I configure my FTP server to use passive ports in a limited range and 
allow those ports specifically then all is well.

But I want to be a little more secure.  So I tried using punch_fw to add the 
rules dynamically.  I figured if it works for active clients, it must work 
for passive servers?

Am I wrong in this assumption or have I screwed something up?
Also, will I see the rules inserted into the ipfw list or are they hidden 
for some reason?

Thanks in advance.
-D


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message