From owner-freebsd-security  Fri Sep 17  8:44:25 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mailhub.scl.ameslab.gov (mailhub.scl.ameslab.gov [147.155.137.127])
	by hub.freebsd.org (Postfix) with ESMTP id 6455114EB4
	for <security@freebsd.org>; Fri, 17 Sep 1999 08:44:13 -0700 (PDT)
	(envelope-from ghelmer@scl.ameslab.gov)
Received: from demios.ether.scl.ameslab.gov ([147.155.137.54])
	by mailhub.scl.ameslab.gov with esmtp (Exim 3.02 #1)
	id 11S0B9-000ItC-00; Fri, 17 Sep 1999 10:44:03 -0500
Date: Fri, 17 Sep 1999 10:44:03 -0500
From: Guy Helmer <ghelmer@scl.ameslab.gov>
To: Brett Glass <brett@lariat.org>
Cc: security@freebsd.org
Subject: Re: Best way to do FTP with NAT and firewall?
In-Reply-To: <4.2.0.58.19990917090848.04e582e0@localhost>
Message-ID: <Pine.SGI.4.10.9909171036370.18767-100000@demios.scl.ameslab.gov>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 17 Sep 1999, Brett Glass wrote:

> I've just set up a firewall for a client using ipfw and natd. Trouble
> is, his software seems to be particularly insistent on doing active,
> rather than passive, FTP. This poses a problem, of course, because a
> remote system can't open just data sockets to one behind the firewall
> due to NAT.
> 
> I've worked with plenty of commercial firewalls that monitor FTP
> control connections and spoof the port number for the data sockets.
> SLiRP does it; so, apparently, does the pppd that comes with FreeBSD.
> But I can't find any documented way to do it with ipfw and natd.
> 
> Are there undocumented commands to accomplish this?

For FTP clients behind the firewall, natd seems automatically to
understand & massage the FTP protocol, since PORT commands work through
it. In my NAT firewall system's /etc/rc.firewall, I have this line:

    $fwcmd add pass log tcp from any 20 to ${inet}:${imask} 1024-65535 setup

Since this line has the "log" option, I know it is working.  Since this
rule is invoked after the TCP SYN packet has been forwarded by natd, it
seems safe...

Guy

Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science 
Research Assistant, Ames Laboratory       ---         ghelmer@scl.ameslab.gov
Research Assistant, Dept. of Computer Science   ---   ghelmer@cs.iastate.edu
Teaching Assistant, ComS 652 Distributed Operating Systems
http://www.cs.iastate.edu/~ghelmer



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message