Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 17 Nov 2001 12:02:59 +1100
From:      "Chris Knight" <chris@aims.com.au>
To:        <cjclark@alum.mit.edu>, "'Konstantin'" <skif_dk@mail.ru>
Cc:        <freebsd-ipfw@FreeBSD.ORG>
Subject:   RE: Stateful Rules and FTP
Message-ID:  <00fa01c16f03$9a8bc200$020aa8c0@aims.private>
In-Reply-To: <20011116144702.E50971@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Howdy,

> -----Original Message-----
> From: Crist J. Clark [mailto:cristjc@earthlink.net]
> Sent: Saturday, 17 November 2001 9:47
> To: Konstantin
> Cc: Chris Knight; freebsd-ipfw@FreeBSD.ORG
> Subject: Re: Stateful Rules and FTP
>
> On Fri, Nov 16, 2001 at 08:24:07PM +0300, Konstantin wrote:
> > [snip]
> > Change this string for FTP
> >  add pass tcp from <dmz subnet> to <internal ip> 21
> > keep-state in recv ed1 setup
> >  add pass tcp from <internal ip> 20 to <dmz subnet>
> > keep-state in recv ed1 setup
>
This is essentially what I did, but ensuring that the inbound ftp control
connection came in over the DMZ i/f and out the internal i/f. The ftp data
connection was checked coming in from the internal i/f and out the DMZ i/f.
ie:

  add pass tcp from <dmz subnet> to <internal ip> 21 keep-state out recv ed1
xmit ed2 setup
  add pass tcp from <internal ip> 20 to <dmz subnet> keep-state out recv ed2
xmit ed1 setup

> I think you forgot to add that you need to switch to "active" FTP for
> these rules to work. But realize these rules open you up to other
> security issues. An FTP proxy would really be the way to go.

I realised that it was active FTP. I can see with the above rules that a
bounce attack could occur against any of the DMZ machines, but I can't think
of other security issues, unless I stuff up the config of the internal FTP
server.
I'll look at the FTP install via HTTP proxy method; this should tidy things
up a bit.
Thanks for everyone's help.

> --
> [snip]

Regards,
Chris Knight
Systems Administrator
AIMS Independent Computer Professionals
Tel: +61 3 6334 6664  Fax: +61 3 6331 7032  Mob: +61 419 528 795
Web: http://www.aims.com.au



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00fa01c16f03$9a8bc200$020aa8c0>