From owner-freebsd-security Wed Feb 27 6: 2:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from stargate.compuware.com (stargate.compuware.com [166.90.248.158]) by hub.freebsd.org (Postfix) with SMTP id E320637B420 for ; Wed, 27 Feb 2002 06:02:03 -0800 (PST) Received: from [199.186.16.12] by stargate.compuware.com via smtpd (for hub.FreeBSD.org [216.136.204.18]) with SMTP; 27 Feb 2002 14:02:03 UT Received: from bh1.compuware.com (compuware.com [172.22.1.239]) by cwus-dtw-mr02.compuware.com (Postfix) with ESMTP id 7325874EF9 for ; Wed, 27 Feb 2002 09:02:03 -0500 (EST) Received: by bh1.compuware.com with Internet Mail Service (5.5.2653.19) id ; Wed, 27 Feb 2002 09:02:02 -0500 Message-ID: From: "Barkell, Bill" To: security@freebsd.org Subject: RE: best firewall option for FreeBSD Date: Wed, 27 Feb 2002 09:02:00 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FTP can be handled by IPfilter. Refer to the IPfilter HOW-TO documentation. It is done with a trick in IPNAT, which redirects the ftp return traffic to a source port 21. As I understand it, if only an inbound rule exists, IPfilter will treat the return (outbound) traffic as an established session, since the source IP and port now match the established connection ... so it works quite nicely. Bill Barkell -----Original Message----- From: Bart Matthaei [mailto:bart@dreamflow.nl] Sent: Wednesday, February 27, 2002 8:48 AM To: m p Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote: > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant > with outlook)) you can choose both. But ftp is a braindead (from a firewaller > sight) protocol. You can not simple make a rule "allow tcp from internal > network to external ftp-server" - because it will use more than one port. Agreed. I know that linux has a fix for this issue. There's FTP masquerading support in the kernel. BSD hasn't got such a thing as far as i know. You can try to direct all the ftp traffic to natd, or ipnat. (ipfw divert natd tcp from any to any 21). No idea if this will actually work. > So you should use ipfilter which "inspects" the pakets flowing through to get > the new ftp port which have to be open - or use a ftp-proxy (there are some in > the ports, look for one fitting your purpose). Agreed. No comments on your other advice ;) Regards, Bart -- Bart Matthaei bart@dreamflow.nl Kiss me twice. I'm schizophrenic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message