From owner-freebsd-isp Mon Dec 17 5:32:22 2001 Delivered-To: freebsd-isp@freebsd.org Received: from blue.frogfoot.net (blue.frogfoot.net [66.8.28.50]) by hub.freebsd.org (Postfix) with SMTP id 438B437B405 for ; Mon, 17 Dec 2001 05:32:08 -0800 (PST) Received: (qmail 31250 invoked by uid 1004); 17 Dec 2001 13:31:58 -0000 Date: Mon, 17 Dec 2001 15:31:58 +0200 From: Johann Botha To: apache@ukr.net Cc: freebsd-isp@freebsd.org Subject: Re: firewall + ftp Message-ID: <20011217133158.GB30894@blue.frogfoot.net> References: <20011217131602.A1843@unixbox.office.annaltd.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011217131602.A1843@unixbox.office.annaltd.com> User-Agent: Mutt/1.3.24i Organization: Frogfoot Networks X-Operating-System: Debian GNU/Linux blue 2.4.13-ac7 (Athlon) X-GPG-Public-Key: http://blue.frogfoot.net/keys/frogfoot.gpg X-Uptime: 2:57pm up 1 day, 18:06, 6 users, load average: 1.50, 1.37, 1.28 X-Edited-With-Muttmode: muttmail.sl - 2001-10-27 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi apache! > I am aranging firewall in my office network connected to Internet via dedicated > line. I wanna close everything but HTTP, SMTP, SSH and FTP from internal > network. The problem is FTP. I wanna make uploads/downloads to Internet hosts > via ftp. > > What can i do with data ports? > Are there any solutions or start points for me (ftp proxy, etc.)? man natd ------------< snip <------< snip <------< snip <------------ -punch_fw basenumber:count This option directs natd to `punch holes'' in an ipfirewall(4) based firewall for FTP/IRC DCC connections. This is done dynamically by installing temporary firewall rules which allow a particular connection (and only that con- nection) to go through the firewall. The rules are removed once the corresponding connection terminates. ------------< snip <------< snip <------< snip <------------ but.. i could not get this to work, imho natd is broken. (in 4.3 anyway) so now i use jftpgw: http://www.mcknight.de/jftpgw/features.html eg. ------------< snip <------< snip <------< snip <------------ # Transparent Proxy for FTP fwd 66.8.1.1,2370 tcp from 66.8.1.48/29 to any 21 in recv ed1 ------------< snip <------< snip <------< snip <------------ and then just allow "1025-65535 to any 21" on the firewall's IP. ..or use IPF's NAT: http://coombs.anu.edu.au/~avalon/ip-filter.html -- Regards Johann "FreD is not dead" - echo $(uname) is not dead | sed "s/eBS//" _________________________________________________________ Johann L. Botha Debian GNU Jedi: joe@debian.org email: joe@frogfoot.net snail mail: PO Box 3472 mobile: +27 82 5626 167 Matieland workpage: http://www.frogfoot.net Stellenbosch homepage: http://blue.frogfoot.net 7602 gps: 33deg 56.09S, 18deg 25.31E, 64m South Africa ham: ZR1JOE Copyright (c) 2001. The Sovereigns of Frogfoot. All rights reserved. Disclaimer available upon request. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message