Date: Sat, 17 Nov 2001 12:02:59 +1100 From: "Chris Knight" <chris@aims.com.au> To: <cjclark@alum.mit.edu>, "'Konstantin'" <skif_dk@mail.ru> Cc: <freebsd-ipfw@FreeBSD.ORG> Subject: RE: Stateful Rules and FTP Message-ID: <00fa01c16f03$9a8bc200$020aa8c0@aims.private> In-Reply-To: <20011116144702.E50971@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Howdy, > -----Original Message----- > From: Crist J. Clark [mailto:cristjc@earthlink.net] > Sent: Saturday, 17 November 2001 9:47 > To: Konstantin > Cc: Chris Knight; freebsd-ipfw@FreeBSD.ORG > Subject: Re: Stateful Rules and FTP > > On Fri, Nov 16, 2001 at 08:24:07PM +0300, Konstantin wrote: > > [snip] > > Change this string for FTP > > add pass tcp from <dmz subnet> to <internal ip> 21 > > keep-state in recv ed1 setup > > add pass tcp from <internal ip> 20 to <dmz subnet> > > keep-state in recv ed1 setup > This is essentially what I did, but ensuring that the inbound ftp control connection came in over the DMZ i/f and out the internal i/f. The ftp data connection was checked coming in from the internal i/f and out the DMZ i/f. ie: add pass tcp from <dmz subnet> to <internal ip> 21 keep-state out recv ed1 xmit ed2 setup add pass tcp from <internal ip> 20 to <dmz subnet> keep-state out recv ed2 xmit ed1 setup > I think you forgot to add that you need to switch to "active" FTP for > these rules to work. But realize these rules open you up to other > security issues. An FTP proxy would really be the way to go. I realised that it was active FTP. I can see with the above rules that a bounce attack could occur against any of the DMZ machines, but I can't think of other security issues, unless I stuff up the config of the internal FTP server. I'll look at the FTP install via HTTP proxy method; this should tidy things up a bit. Thanks for everyone's help. > -- > [snip] Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00fa01c16f03$9a8bc200$020aa8c0>