IPFW bridges and, woe is me, ftp
From: Scott Lampert (scott@lampert.org)
Date: 04/09/02
- Next message: Dmitry Pryanishnikov: "Re: zlib double-free security notification"
- Previous message: Douglas K. Rand: "Re: Centralized authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Apr 2002 12:59:24 -0700 From: Scott Lampert <scott@lampert.org> To: freebsd-security@FreeBSD.org
(If this shouldn't be on -net please accept my apologies. It seemed all the
networking gurus are there and this sort of overlaps onto that subject.)
I have a 4.5 release box that is acting as a bridging firewall with ipfw
for an internet connected network and I'm having some issues with ftp
(as usual). This network is NOT nat routed; the network has a real IP
block. Using keep-state and tcp established rules the best I can come
up with is to allow active ftp in and passive ftp out with the following
three rules:
add check-state
add pass tcp from any to any established
add pass tcp from any to ${ftphost} 21 in via ${OIF} setup keep-state
All internal hosts can initiate connections to outside hosts at will.
This sort of leaves anyone who needs to ftp into this network from behind
their own firewall with a passive connection totally out of luck. The
only functional solution to handle incoming passive connections seems to
be to open up a range of ports which I'd prefer not to do for obvious
reasons.
I'd love to ditch ipfw and use ipfilter but that is not supported for
bridging with FreeBSD unfortunately. OpenBSD is not an option on this
box either as it has an old mylex raid controller that is unsupported by
that OS.
A quick scan of the archives seems to only address the issue with nat
firewalls using natd and divert sockets. On that note, I had a quick
look through the natd man page to see if I could set it up to just look
at ftp connections and not actually do any network translations.
Basically I just want it for its punchfw functionality and just for ftp
connections. Is this even possible? I'm going to experiment with this
today and I was hoping that someone might be able to give me a little
guidance to save me some time and possibly fruitless efforts.
If there are alternative and/or better ways of doing this I'd love to
hear from someone. I know Crist J. Clark had an unofficial and
unsupported patch to make ipfilter work with bridging on 4.x, but I'd
prefer not to become dependant on something that won't be official until
5.0 comes out if I can avoid it.
Thanks!
-Scott
-- Scott Lampert <scott@lampert.org> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/lampert.key
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Dmitry Pryanishnikov: "Re: zlib double-free security notification"
- Previous message: Douglas K. Rand: "Re: Centralized authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
