From owner-freebsd-security  Mon Sep 20  7:27:50 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
	by hub.freebsd.org (Postfix) with ESMTP id E3849151EA
	for <security@FreeBSD.ORG>; Mon, 20 Sep 1999 07:27:44 -0700 (PDT)
	(envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.3/8.9.3) with ESMTP id QAA06670;
	Mon, 20 Sep 1999 16:27:42 +0200 (CEST)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id QAA39996;
	Mon, 20 Sep 1999 16:27:42 +0200 (MET DST)
Date: Mon, 20 Sep 1999 16:27:42 +0200
From: Eivind Eklund <eivind@FreeBSD.ORG>
To: Brett Glass <brett@lariat.org>
Cc: security@FreeBSD.ORG
Subject: Re: Best way to do FTP with NAT and firewall?
Message-ID: <19990920162742.A12619@bitbox.follo.net>
References: <4.2.0.58.19990917090848.04e582e0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <4.2.0.58.19990917090848.04e582e0@localhost>; from Brett Glass on Fri, Sep 17, 1999 at 09:16:11AM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Sep 17, 1999 at 09:16:11AM -0600, Brett Glass wrote:
> I've just set up a firewall for a client using ipfw and natd. Trouble is, his software seems to be particularly insistent on doing active, rather than passive, FTP. This poses a problem, of course, because a remote system can't open just data sockets to one behind the firewall due to NAT.
> 
> I've worked with plenty of commercial firewalls that monitor FTP control connections and spoof the port number for the data sockets. SLiRP does it; so, apparently, does the pppd that comes with FreeBSD. But I can't find any documented way to do it with ipfw and natd.
> 
> Are there undocumented commands to accomplish this?

Using the hooks I added to libalias to accomplish this.  That would,
however, require some small mods to the natd code (about 20-50 lines,
I guess).

These punch fully specified holes for active FTP and IRC DCC
connections, using a range of IPFW rule number designated by the
caller.  "Fully specified" in this context means with specified source
address, destination address, source port and destination port.  These
time out the same way as usual, and should not pose any risk.

Eivind.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message