From owner-freebsd-security Mon Nov 26 10:23: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 9962537B417 for ; Mon, 26 Nov 2001 10:22:37 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fAQIMPc39767; Mon, 26 Nov 2001 20:22:25 +0200 (EET) (envelope-from ru) Date: Mon, 26 Nov 2001 20:22:25 +0200 From: Ruslan Ermilov To: Danny Carroll Cc: security@FreeBSD.ORG Subject: Re: IPFW, natd and an internal FTP server. Message-ID: <20011126202225.A38902@sunbay.com> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 26, 2001 at 05:02:27PM +0000, Danny Carroll wrote: > >>rules dynamically. I figured if it works for active clients, it must work > >> > >>for passive servers? > >> > >Yes. > > No.... At least it doens't for me. > > >> Am I wrong in this assumption or have I screwed something up? > >So, you tried it and it did not work? What's the FreeBSD version? > > > > Yes, I tried it and it failed... But I then tried active FTP out and I > could clearly see two wonderful new rules created right where I wanted them. > > I'm using FreeBSD 4.4-RELEASE straight from the ISO. > > I can send the firewall rules but since punch_fw is working as an active > client, there is nothing there that would affect it. I mean it's making > the control connection fine... > Doh, you're right! We don't currently punch firewall holes for 227/229 FTP server replies, for no apparent reason. Could you please try the attached patch? It worked for me, both for the PASV and EPSV modes with an FTP server running on a NAT box. You'll have to recompile both lib/libalias and sbin/natd, in that order. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: alias_ftp.c =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias_ftp.c,v retrieving revision 1.16 diff -u -p -r1.16 alias_ftp.c --- alias_ftp.c 2001/11/03 11:34:09 1.16 +++ alias_ftp.c 2001/11/26 18:18:59 @@ -483,11 +483,8 @@ NewFtpMessage(struct ip *pip, struct tcphdr *tc; #ifndef NO_FW_PUNCH - if (ftp_message_type == FTP_PORT_COMMAND || - ftp_message_type == FTP_EPRT_COMMAND) { - /* Punch hole in firewall */ - PunchFWHole(ftp_link); - } + /* Punch hole in firewall */ + PunchFWHole(ftp_link); #endif /* Calculate data length of TCP packet */ --KsGdsel6WgEHnImy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message