Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Mar 2000 09:58:45 -0800
From:      Alan Batie <batie@rdrop.com>
To:        Pierre Chiu <pccb@yahoo.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: FTP with firewall rules
Message-ID:  <20000329095845.54716@rdrop.com>
In-Reply-To: <4520.000329@yahoo.com>; from Pierre Chiu on Wed, Mar 29, 2000 at 12:30:08PM -0500
References:  <4520.000329@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=us-ascii

On Wed, Mar 29, 2000 at 12:30:08PM -0500, Pierre Chiu wrote:
> In FreeBSD 4.0, ipfw supports stateful inspection.
> 
> I think this is very useful for running ftp server and would works for both
> active and passive setup.

As I read the man page, that doesn't mean what it sounds like you think
it means.  To do active mode ftp properly, ipfw would need to parse the
contents of the packets on the ftp control channel and dynamically allow
the corresponding incoming connection.  There's no indication that this
parsing capability is present.

On the other hand, it's not clear just what keep-state/check-state do
either; what is the difference between the example:

    ipfw add check-state
    ipfw add deny tcp from any to any established
    ipfw add allow tcp from my-net to any setup keep-state

and

    ipfw add allow tcp from any to my-net established
    ipfw add allow tcp from my-net to any

Both only allow outgoing connections.  I suppose in the latter case,
it would be possible to send in packets that pretend to be "established"
but I'm not sure what that would get a hacker...

-- 
Alan Batie                   ______    www.rdrop.com/users/batie     Me
batie@agora.rdrop.com        \    /    www.qrd.org         The Triangle
PGPFP DE 3C 29 17 C0 49 7A    \  /     www.pgpi.com   The Weird Numbers
27 40 A5 3C 37 4A DA 52 B9     \/      www.anti-spam.net       NO SPAM!

--k+w/mQv8wyuph6w0
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOOJEVIv4wNua7QglAQEJ6AP/RfDsgwnD0ZA8xveITcmNyt+vT8hIwy0g
8bRLfOqNhGBWZ1nXf7IUT6HH9e8vMZ3A64fI6LGcZejgU6/CcuYEPGoQxNO3zY+H
khl8bfujX/PgQHNoF9ufPSXCFaGDGu0B0d/w7PaiCcALv+yT2P9TCQ7/4YpBRK4L
dRbo6aF1yo0=
=S9jl
-----END PGP SIGNATURE-----

--k+w/mQv8wyuph6w0--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000329095845.54716>