From owner-freebsd-ipfw Thu Apr 12 12:13:27 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id 5FA4E37B446 for ; Thu, 12 Apr 2001 12:13:24 -0700 (PDT) (envelope-from kirk@honeypot.net) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.3/8.11.3) with ESMTP id f3CJDEE66076 for ; Thu, 12 Apr 2001 14:13:18 -0500 (CDT) (envelope-from kirk@honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 14nmWo-0000Fn-00 for ; Thu, 12 Apr 2001 14:13:14 -0500 To: freebsd-ipfw@freebsd.org Subject: Beating a dead horse - ipfw and FTP From: Kirk Strauser Date: 12 Apr 2001 14:13:14 -0500 Message-ID: <87puei53ud.fsf@pooh.honeypot> Lines: 23 X-Mailer: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've read a lot of the mailing list archives regarding ipfw and FTP. The basic consensus seems to be that FTP Is Bad and that it shouldn't be used. OK, on a technical level, I agree. Unfortunately, it's still somewhat hard to get away from. In particular, look at the FreeBSD ports system which relies heavily on using FTP to fetch source tarballs - that alone is reason enough for me to maintain usability for this antiquated protocol. Add in the fact that I have several user workstations that periodically fetch files (darn those Debian users :) ) and I'm pretty well stuck. So, has anyone agreed on a best-practices method of allowing outgoing FTP connections through ipfw? It seems like the ideal would be for someone to add an FTP method to ipfw's keep-state mechanism, but that doesn't seem to exist right now. The next best solution, to me, would be an ipfw-aware FTP proxy that can dynamically open and close ports. Does such a thing exist? If so, and there are more than one, are any of them recommended? I'm thinking that a final last-ditch-effort solution would be to write a two-part FTP proxy server so half of the server lives outside the firewall and the other half is inside, and the two halves communicate via a secure link. This might actually be a Good Thing, but darned if I'd even know where to begin such a project. -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message