Date: Wed, 27 Feb 2002 09:02:00 -0500 From: "Barkell, Bill" <Bill.Barkell@compuware.com> To: security@freebsd.org Subject: RE: best firewall option for FreeBSD Message-ID: <A58643BEDEF7D211BABB0008C75D853F0A5F66F0@fhpri01.compuware.com>
next in thread | raw e-mail | index | archive | help
FTP can be handled by IPfilter. Refer to the IPfilter HOW-TO documentation. It is done with a trick in IPNAT, which redirects the ftp return traffic to a source port 21. As I understand it, if only an inbound rule exists, IPfilter will treat the return (outbound) traffic as an established session, since the source IP and port now match the established connection ... so it works quite nicely. Bill Barkell -----Original Message----- From: Bart Matthaei [mailto:bart@dreamflow.nl] Sent: Wednesday, February 27, 2002 8:48 AM To: m p Cc: security@freebsd.org Subject: Re: best firewall option for FreeBSD On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote: > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant > with outlook)) you can choose both. But ftp is a braindead (from a firewaller > sight) protocol. You can not simple make a rule "allow tcp from internal > network to external ftp-server" - because it will use more than one port. Agreed. I know that linux has a fix for this issue. There's FTP masquerading support in the kernel. BSD hasn't got such a thing as far as i know. You can try to direct all the ftp traffic to natd, or ipnat. (ipfw divert natd tcp from any to any 21). No idea if this will actually work. > So you should use ipfilter which "inspects" the pakets flowing through to get > the new ftp port which have to be open - or use a ftp-proxy (there are some in > the ports, look for one fitting your purpose). Agreed. No comments on your other advice ;) Regards, Bart -- Bart Matthaei bart@dreamflow.nl Kiss me twice. I'm schizophrenic. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A58643BEDEF7D211BABB0008C75D853F0A5F66F0>