Date: Thu, 22 Mar 2001 12:32:17 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "Daniel Hagan" <dhagan@colltech.com> Cc: <freebsd-ipfw@FreeBSD.ORG> Subject: RE: freebsd 4.2 ipfw natd Message-ID: <NDBBIMKICMDGDMNOOCAIMEPDCEAA.patrick@mip.co.za> In-Reply-To: <3AB9CFC4.11018F6E@colltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Oooops!
I was not paying attention, was I?
The first example does allow FTP both ways! A better example would be:
--------------
# FTP - Allow access from our LAN to External FTP servers
${fwcmd} add pass tcp from z.z.z.z/24 to any 21 setup
${fwcmd} add pass tcp from any 20 to z.z.z.z/24 1024-65535 setup
--------------
where z.z.z.z/24 is your LAN's network IP and Netmask. (The z.z.z.z also
suitably representing my prior state of mind :)
Daniel's points re FTP and security are entirely valid too. FTP is known to
be somewhat flaky on the security front. A Proxy would be best (I have not
done that before), else make sure the FTP server is dedicated to that task
and isolated from the rest of your network so that if it is cracked the
damage is contained.
Personally, we use a dedicated FTP server in our DMZ to achieve this goal
(Isolated from the LAN, and contained to the server if it gets cracked).
Thanks for the wake-up call Daniel :)
Patrick.
-----Original Message-----
From: Daniel Hagan [mailto:dhagan@colltech.com]
Sent: 22 March 2001 12:11
To: Patrick O'Reilly
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: freebsd 4.2 ipfw natd
Patrick O'Reilly wrote:
> ------------------
> # FTP - Allow access from our LAN to External FTP servers
> ${fwcmd} add pass tcp from any to any 21 setup
> ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
This would make the firewall transparent to ftp sessions in _both_
directions, not just from your lan out.
> # FTP - Allow access from the net to our FTP server
> ${fwcmd} add pass tcp from any to x.x.x.x 21 setup
> ${fwcmd} add pass tcp from x.x.x.x 20 to any 1024-65535 setup
FTP is a crappy protocol to packet filter. I'm not familiar with the
issues involved, but I believe proxy servers located in a DMZ (or
integrated into the firewall) are a much better solution than packet
filters.
Sorry I can't give you a more detailed explanation.
Daniel
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIMEPDCEAA.patrick>