From owner-freebsd-security Wed Mar 29 16:49:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from web2.sea.nwserv.com (web2.sea.nwserv.com [216.145.16.2]) by hub.freebsd.org (Postfix) with ESMTP id E030E37B745 for ; Wed, 29 Mar 2000 16:49:24 -0800 (PST) (envelope-from asaddi@philosophysw.com) Received: from localhost (asaddi@localhost) by web2.sea.nwserv.com (8.9.3/8.9.3) with ESMTP id QAA78506; Wed, 29 Mar 2000 16:49:05 -0800 (PST) (envelope-from asaddi@philosophysw.com) Date: Wed, 29 Mar 2000 16:49:05 -0800 (PST) From: Allan Saddi X-Sender: asaddi@web2.sea.nwserv.com To: Alan Batie Cc: Pierre Chiu , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: <20000329095845.54716@rdrop.com> Message-ID: Organization: Philosophy SoftWorks MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Mar 2000, Alan Batie wrote: > ...To do active mode ftp properly, ipfw would need to parse the > contents of the packets on the ftp control channel and dynamically allow > the corresponding incoming connection. There's no indication that this > parsing capability is present. Interestingly enough, sometime back, Eivind Eklund added a feature to allow libalias(3) to "punch holes" in an ipfw-based firewall. The code is apparently still there. Unfortunately, it seems like neither natd nor ppp take advantage of this feature. (Currently, there's no way to turn it on.) It would be a seemingly trivial modification... but maybe there's some reason why it was never incorporated into natd/ppp? -- Allan Saddi "The Earth is the cradle of mankind, asaddi@philosophysw.com but we cannot live in the cradle http://www.philosophysw.com/asaddi/ forever." - K.E. Tsiolkovsky To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message