Date: Fri, 16 Nov 2001 17:10:15 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Chris Knight <chris@aims.com.au> Cc: "'Konstantin'" <skif_dk@mail.ru>, freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful Rules and FTP Message-ID: <20011116171015.G50971@blossom.cjclark.org> In-Reply-To: <00fa01c16f03$9a8bc200$020aa8c0@aims.private>; from chris@aims.com.au on Sat, Nov 17, 2001 at 12:02:59PM %2B1100 References: <20011116144702.E50971@blossom.cjclark.org> <00fa01c16f03$9a8bc200$020aa8c0@aims.private>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 17, 2001 at 12:02:59PM +1100, Chris Knight wrote:
[snip]
> add pass tcp from <dmz subnet> to <internal ip> 21 keep-state out recv ed1
> xmit ed2 setup
> add pass tcp from <internal ip> 20 to <dmz subnet> keep-state out recv ed2
> xmit ed1 setup
>
> > I think you forgot to add that you need to switch to "active" FTP for
> > these rules to work. But realize these rules open you up to other
> > security issues. An FTP proxy would really be the way to go.
>
> I realised that it was active FTP. I can see with the above rules that a
> bounce attack could occur against any of the DMZ machines, but I can't think
> of other security issues, unless I stuff up the config of the internal FTP
> server.
You can also bounce attack anything inside the firewall.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116171015.G50971>