Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Apr 2001 21:16:23 +0200 (CEST)
From:      Luigi Rizzo <luigi@info.iet.unipi.it>
To:        Kirk Strauser <kirk@strauser.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Beating a dead horse - ipfw and FTP
Message-ID:  <200104121916.VAA74511@info.iet.unipi.it>
In-Reply-To: <87puei53ud.fsf@pooh.honeypot> from Kirk Strauser at "Apr 12, 2001 02:13:14 pm"

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
we have stateful ipfw and passive ftp -- the combination of
the two should give you the protection that you want.
Am i wrong ?

	cheers
	luigi


> I've read a lot of the mailing list archives regarding ipfw and FTP.  The
> basic consensus seems to be that FTP Is Bad and that it shouldn't be used.
> OK, on a technical level, I agree.  Unfortunately, it's still somewhat hard
> to get away from.  In particular, look at the FreeBSD ports system which
> relies heavily on using FTP to fetch source tarballs - that alone is reason
> enough for me to maintain usability for this antiquated protocol.  Add in
> the fact that I have several user workstations that periodically fetch files
> (darn those Debian users :) ) and I'm pretty well stuck.
> 
> So, has anyone agreed on a best-practices method of allowing outgoing FTP
> connections through ipfw?  It seems like the ideal would be for someone to
> add an FTP method to ipfw's keep-state mechanism, but that doesn't seem to
> exist right now.  The next best solution, to me, would be an ipfw-aware FTP
> proxy that can dynamically open and close ports.  Does such a thing exist?
> If so, and there are more than one, are any of them recommended?
> 
> I'm thinking that a final last-ditch-effort solution would be to write a
> two-part FTP proxy server so half of the server lives outside the firewall
> and the other half is inside, and the two halves communicate via a secure
> link.  This might actually be a Good Thing, but darned if I'd even know
> where to begin such a project.
> -- 
> Kirk Strauser
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200104121916.VAA74511>