From owner-freebsd-security  Fri Mar 31  9:14:55 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 3D89E37BCD8
	for <freebsd-security@FreeBSD.ORG>; Fri, 31 Mar 2000 09:14:53 -0800 (PST)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.veriohosting.com; Fri, 31 Mar 2000 10:14:52 -0700 (MST)
Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1)
	id xma026130; Fri, 31 Mar 00 10:14:22 -0700
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id KAA03612; Fri, 31 Mar 2000 10:12:37 -0700 (MST)
Date: Fri, 31 Mar 2000 10:12:37 -0700 (MST)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: Alan Batie <batie@rdrop.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: FTP with firewall rules
In-Reply-To: <20000329095845.54716@rdrop.com>
Message-ID: <Pine.BSF.4.21.0003311002120.3529-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 29 Mar 2000, Alan Batie wrote:

> To do active mode ftp properly, ipfw would need to parse the contents
> of the packets on the ftp control channel and dynamically allow the
> corresponding incoming connection.  There's no indication that this
> parsing capability is present.

I know we're talking about IPFW here, but hasn't IP Filter (also included
with FreeBSD) been supporting this very operation for quite a while now?  
Is there a reason why people would try to hack up IPFW to get it to do
something when IP Filter already does it?

The version of IP Filter bundled with FreeBSD has historically lagged the
latest releases, so check out:

    http://coombs.anu.edu.au/~avalon/

for the newest release.  I've been using IP Filter for some time and I've
found it to be an excellent piece of software.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message