RE: best firewall option for FreeBSD

From: Barkell, Bill (Bill.Barkell@compuware.com)
Date: 02/27/02

• Next message: Van Beerschoten, Stephan: "FW: HEADS UP: Security Alert For Apache / PHP Webservers"
• Previous message: Bart Matthaei: "Re: best firewall option for FreeBSD"
• Maybe in reply to: Geert Houben: "best firewall option for FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Barkell, Bill" <Bill.Barkell@compuware.com>
To: security@freebsd.org
Date: Wed, 27 Feb 2002 09:02:00 -0500

FTP can be handled by IPfilter. Refer to the IPfilter HOW-TO documentation.
It is done with a trick in IPNAT, which redirects the ftp return traffic to
a source port 21. As I understand it, if only an inbound rule exists,
IPfilter will treat the return (outbound) traffic as an established session,
since the source IP and port now match the established connection ... so it
works quite nicely.

Bill Barkell

-----Original Message-----
From: Bart Matthaei [mailto:bart@dreamflow.nl]
Sent: Wednesday, February 27, 2002 8:48 AM
To: m p
Cc: security@freebsd.org
Subject: Re: best firewall option for FreeBSD

On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote:
> To filter all but ssh, http, https, smtp and pop3 (aka mail (what you
meant
> with outlook)) you can choose both. But ftp is a braindead (from a
firewaller
> sight) protocol. You can not simple make a rule "allow tcp from internal
> network to external ftp-server" - because it will use more than one port.

Agreed.
I know that linux has a fix for this issue. There's FTP
masquerading support in the kernel. BSD hasn't got such a thing as far
as i know. You can try to direct all the ftp traffic to natd, or ipnat.
(ipfw divert natd tcp from any to any 21).
No idea if this will actually work.

> So you should use ipfilter which "inspects" the pakets flowing through to
get
> the new ftp port which have to be open - or use a ftp-proxy (there are
some in
> the ports, look for one fitting your purpose).

Agreed.

No comments on your other advice ;)

Regards,

Bart

-- 
Bart Matthaei                 bart@dreamflow.nl 
Kiss me twice.  I'm schizophrenic.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Van Beerschoten, Stephan: "FW: HEADS UP: Security Alert For Apache / PHP Webservers"
• Previous message: Bart Matthaei: "Re: best firewall option for FreeBSD"
• Maybe in reply to: Geert Houben: "best firewall option for FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ftp server ... If you're having a problem building the data connection, ... problems with your ipfilter. ... It's about 3/4 into the article, do a find for "coping with ftp" ... >>area, enable both anonymous and real users, virtual user and quota support, ... (freebsd-questions) ipfilter / ftp ... I am trying to set up an ftp box, ... I am using vsftp as ... the ftp server, with IPfilter as a firewall. ... (freebsd-questions) RE: firewall ... IPfilter handles ftp very well when coupled with an IPnat rule. ... Subject: firewall ... (FreeBSD-Security) RE: Telnet/ftp problems SBS2000 ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ... (microsoft.public.windows.server.sbs) Re: Hacked? External address knocks on internal private address... ... The important part of your message is that FTP is allowed out... ... You open a connection to an FTP Server and logon. ... When you ask the server for a file the server issues a "PORT" command ... so it can open a port on the firewall to allow the incoming Data ... (comp.security.firewalls)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint