RE: best firewall option for FreeBSD

From: Barkell, Bill (Bill.Barkell@compuware.com)
Date: 02/27/02

Next message: Van Beerschoten, Stephan: "FW: HEADS UP: Security Alert For Apache / PHP Webservers"
Previous message: Bart Matthaei: "Re: best firewall option for FreeBSD"
Maybe in reply to: Geert Houben: "best firewall option for FreeBSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Barkell, Bill" <Bill.Barkell@compuware.com>
To: security@freebsd.org
Date: Wed, 27 Feb 2002 09:02:00 -0500

FTP can be handled by IPfilter. Refer to the IPfilter HOW-TO documentation.
It is done with a trick in IPNAT, which redirects the ftp return traffic to
a source port 21. As I understand it, if only an inbound rule exists,
IPfilter will treat the return (outbound) traffic as an established session,
since the source IP and port now match the established connection ... so it
works quite nicely.

Bill Barkell

-----Original Message-----
From: Bart Matthaei [mailto:bart@dreamflow.nl]
Sent: Wednesday, February 27, 2002 8:48 AM
To: m p
Cc: security@freebsd.org
Subject: Re: best firewall option for FreeBSD

On Wed, Feb 27, 2002 at 02:28:46PM +0100, m p wrote:
> To filter all but ssh, http, https, smtp and pop3 (aka mail (what you
meant
> with outlook)) you can choose both. But ftp is a braindead (from a
firewaller
> sight) protocol. You can not simple make a rule "allow tcp from internal
> network to external ftp-server" - because it will use more than one port.

Agreed.
I know that linux has a fix for this issue. There's FTP
masquerading support in the kernel. BSD hasn't got such a thing as far
as i know. You can try to direct all the ftp traffic to natd, or ipnat.
(ipfw divert natd tcp from any to any 21).
No idea if this will actually work.

> So you should use ipfilter which "inspects" the pakets flowing through to
get
> the new ftp port which have to be open - or use a ftp-proxy (there are
some in
> the ports, look for one fitting your purpose).

Agreed.

No comments on your other advice ;)

Regards,

Bart

-- 
Bart Matthaei                 bart@dreamflow.nl 
Kiss me twice.  I'm schizophrenic.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Van Beerschoten, Stephan: "FW: HEADS UP: Security Alert For Apache / PHP Webservers"
Previous message: Bart Matthaei: "Re: best firewall option for FreeBSD"
Maybe in reply to: Geert Houben: "best firewall option for FreeBSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: ipnat port-range
... Ipnat and FTP PASV is covered extensively in the ipfilter howto on ... pass out quick on external_interface proto tcp from any port 1023>< 2025 to ...
(freebsd-questions)
Re: ipnat port-range
... first of all my ipf default policy to allow everything. ... rdr bce0 0/0 port ftp -> lama port ftp tcp ... range with ipnat. ...
(freebsd-questions)
Re: ipnat port-range
... first of all my ipf default policy to allow everything. ... rdr bce0 0/0 port ftp -> lama port ftp tcp ... range with ipnat. ...
(freebsd-questions)
Re: ftp server
... If you're having a problem building the data connection, ... problems with your ipfilter. ... It's about 3/4 into the article, do a find for "coping with ftp" ... >>area, enable both anonymous and real users, virtual user and quota support, ...
(freebsd-questions)
ipfilter / ftp
... I am trying to set up an ftp box, ... I am using vsftp as ... the ftp server, with IPfilter as a firewall. ...
(freebsd-questions)