From owner-freebsd-security  Mon Nov 26  8:51:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP id D79BC37B416
	for <security@FreeBSD.ORG>; Mon, 26 Nov 2001 08:51:39 -0800 (PST)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fAQGpOg27827;
	Mon, 26 Nov 2001 18:51:24 +0200 (EET)
	(envelope-from ru)
Date: Mon, 26 Nov 2001 18:51:24 +0200
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: Danny Carroll <dannycarroll@hotmail.com>
Cc: security@FreeBSD.ORG
Subject: Re: IPFW, natd and an internal FTP server.
Message-ID: <20011126185124.A27588@sunbay.com>
References: <LAW2-F68hvpFaeZPHNu00019f0c@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <LAW2-F68hvpFaeZPHNu00019f0c@hotmail.com>
User-Agent: Mutt/1.3.23i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Nov 26, 2001 at 03:32:05PM +0000, Danny Carroll wrote:
> Hello,
> 
> I know this question has been covered before in many different ways, but I 
> can't seem to find the solution I am looking for.
> 
> Here is my situation.
> 
> machine guard is the firewall / natd server on a dedicated internet line.
> machine app is the web/ftp server let's say it runs win2k.  This machine is 
> on an internal (192.168) network and the firewall's natd diverts web/ftp 
> stuff almost brilliantly.
> 
> The firewall works fine for active FTP (server initiated data connections).
> 
> If I configure my FTP server to use passive ports in a limited range and 
> allow those ports specifically then all is well.
> 
> But I want to be a little more secure.  So I tried using punch_fw to add the 
> 
> rules dynamically.  I figured if it works for active clients, it must work 
> for passive servers?
> 
Yes.

> Am I wrong in this assumption or have I screwed something up?
> 
So, you tried it and it did not work?  What's the FreeBSD version?

> Also, will I see the rules inserted into the ipfw list or are they hidden 
> for some reason?
> 
Yes.


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message