Date: Fri, 16 Nov 2001 14:47:02 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Konstantin <skif_dk@mail.ru> Cc: Chris Knight <chris@aims.com.au>, freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful Rules and FTP Message-ID: <20011116144702.E50971@blossom.cjclark.org> In-Reply-To: <7526380550.20011116202407@mail.ru>; from skif_dk@mail.ru on Fri, Nov 16, 2001 at 08:24:07PM %2B0300 References: <00bb01c16e78$37d102a0$020aa8c0@aims.private> <7526380550.20011116202407@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 16, 2001 at 08:24:07PM +0300, Konstantin wrote:
> Friday, November 16, 2001, 11:25:13 AM, you wrote:
>
> CK> I'm running 4.4-stable on a box with 3 interfaces: ed0, ed1 and ed2.
> CK> ed0 is the external interface.
> CK> ed1 is the DMZ interface.
> CK> ed2 is the internal interface.
>
> CK> I want a select group of machines in the DMZ to be able to FTP, and only
> CK> FTP, to a machine on the internal network to retrieve an installation image
> CK> and packages. I've found the only way I can get passive FTP going is with
> CK> the following rule:
>
> CK> add pass tcp from <dmz subnet> to <internal ip> keep-state in recv ed1 setup
>
> Change this string for FTP
> add pass tcp from <dmz subnet> to <internal ip> 21 keep-state in recv ed1 setup
> add pass tcp from <internal ip> 20 to <dmz subnet> keep-state in recv ed1 setup
I think you forgot to add that you need to switch to "active" FTP for
these rules to work. But realize these rules open you up to other
security issues. An FTP proxy would really be the way to go.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116144702.E50971>