Re: best firewall option for FreeBSD

From: Bart Matthaei (bart@dreamflow.nl)
Date: 02/27/02

• Next message: Barkell, Bill: "RE: best firewall option for FreeBSD"
• Previous message: Eric Anderson: "Re: best firewall option for FreeBSD"
• In reply to: m p: "Re: best firewall option for FreeBSD"
• Next in thread: Krzysztof Zaraska: "Re: best firewall option for FreeBSD"
• Reply: Krzysztof Zaraska: "Re: best firewall option for FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 27 Feb 2002 14:48:06 +0100
From: Bart Matthaei <bart@dreamflow.nl>
To: m p <sumirati@yahoo.de>

On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote:
> To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant
> with outlook)) you can choose both. But ftp is a braindead (from a firewaller
> sight) protocol. You can not simple make a rule "allow tcp from internal
> network to external ftp-server" - because it will use more than one port.

Agreed.
I know that linux has a fix for this issue. There's FTP
masquerading support in the kernel. BSD hasn't got such a thing as far
as i know. You can try to direct all the ftp traffic to natd, or ipnat.
(ipfw divert natd tcp from any to any 21).
No idea if this will actually work.

> So you should use ipfilter which "inspects" the pakets flowing through to get
> the new ftp port which have to be open - or use a ftp-proxy (there are some in
> the ports, look for one fitting your purpose).

Agreed.

No comments on your other advice ;)

Regards,

Bart

-- 
Bart Matthaei                 bart@dreamflow.nl 
Kiss me twice.  I'm schizophrenic.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• application/pgp-signature attachment: stored

---

• Next message: Barkell, Bill: "RE: best firewall option for FreeBSD"
• Previous message: Eric Anderson: "Re: best firewall option for FreeBSD"
• In reply to: m p: "Re: best firewall option for FreeBSD"
• Next in thread: Krzysztof Zaraska: "Re: best firewall option for FreeBSD"
• Reply: Krzysztof Zaraska: "Re: best firewall option for FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: FTP Error 426 ... TCP also provides a means to communicate to the receiver of data that at some point further along in the data stream than the receiver is currently reading there is urgent data. ... correct description is "command" not "subcommand", specifically an "FTP service command", see section 4.1.3. ... (bit.listserv.ibm-main) Re: Firewalling on FreeBSD ... ftp man page, hope it helps - ... the ftp client will send a PASV command for all ... data connections instead of the usual PORT command. ... 00x00 allow tcp from any to any established ... (Security-Basics) RE: Firewalling on FreeBSD ... connection, not the ftp-control connection. ... FTP server. ... port is tells the remote server to use, ... > tcp from any 20 to any 1024-65535. ... (Security-Basics) Re: FTp connect problem ... I've got login on localhost but not remotely. ... running IIS 6.0 on a stand alone server 03 enterprise, ... ftp, but I think there's a small but critical element I'm missing. ... >>> TCP aspeedyresponse:microsoft-ds ... (microsoft.public.inetserver.iis) Re: Is FTP broken in 10.4.9 ? ... TCP 25 ... TCP/UDP 135-139 ... FTP is special because it actually uses several ports, one of which is opened and maintained by the client after the connection has been established. ... I'd start by disabling, completely, any local firewall and seeing if both types of ftp connections work or not. ... (comp.sys.mac.system)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2002-02