From owner-freebsd-net  Sat Oct 21 11:32: 8 2000
Delivered-To: freebsd-net@freebsd.org
Received: from pizza.monkeybrains.net (pizza.monkeybrains.net [209.21.40.4])
	by hub.freebsd.org (Postfix) with ESMTP id 4B67337B479
	for <freebsd-net@FreeBSD.ORG>; Sat, 21 Oct 2000 11:32:06 -0700 (PDT)
Received: from localhost (rudy@localhost)
	by pizza.monkeybrains.net (8.11.1/8.11.0) with ESMTP id e9LIU4Z94829;
	Sat, 21 Oct 2000 11:30:04 -0700 (PDT)
	(envelope-from rudy@monkeybrains.net)
Date: Sat, 21 Oct 2000 11:30:04 -0700 (PDT)
From: Rudy <rudy@monkeybrains.net>
To: Blaz Zupan <blaz@amis.net>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: Using punch_fw from natd
In-Reply-To: <Pine.BSF.4.21.0010212007010.70509-100000@titanic.medinet.si>
Message-ID: <Pine.BSF.4.21.0010211126260.94231-100000@pizza.monkeybrains.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


You can reduce the numbe of open ports --- ftpd does not use 1024-65535B

Here is the rule I use:
allow tcp from any to any 49152-65535 keep-state in recv fxp0 setup

Users do not have shell accounts on that box, so I am not worried about
leaving a bunch of high numbered ports open.  (Is this a mistake?)

Rudy



---------------------------------------------------
    Join my ISP: http://www.monkeybrains.net/
---------------------------------------------------

On Sat, 21 Oct 2000, Blaz Zupan wrote:

_I have two firewalls, protecting our two office networks. The firewalls are
_simply ipfw rules, without using NAT (and natd). The only remaining "big hole"
_I have is, that I need to open TCP ports above 1024 for incoming active FTP
_requests. I'd like to close this remaining hole and noticed the punch_fw
_option to natd, which does what I want - the problem is, that it is built into
_natd and works only on packets that are aliased by natd. But I don't want to
_do network address translation, I just need a daemon that will open incoming
_TCP ports for active FTP connections. Does anybody have a solution? Maybe a
_way to convince natd to do the port-punching without aliasing packets?
_
_Blaz Zupan,  Medinet d.o.o, Linhartova 21, 2000 Maribor, Slovenia
_E-mail: blaz@amis.net, Tel: +386-2-320-6320, Fax: +386-2-320-6325
_
_
_
_To Unsubscribe: send mail to majordomo@FreeBSD.org
_with "unsubscribe freebsd-net" in the body of the message
_



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message