From owner-freebsd-security Thu Oct 11 6:25:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1E55337B403 for ; Thu, 11 Oct 2001 06:25:51 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA12018; Thu, 11 Oct 2001 06:25:49 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12016; Thu Oct 11 06:25:37 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f9BDPM251604; Thu, 11 Oct 2001 06:25:22 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpda51599; Thu Oct 11 06:25:12 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f9BDOvl06544; Thu, 11 Oct 2001 06:24:57 -0700 (PDT) Message-Id: <200110111324.f9BDOvl06544@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdrD6538; Thu Oct 11 06:24:06 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Brock Kreiser" Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewall In-reply-to: Your message of "Thu, 11 Oct 2001 00:56:02 EDT." <001101c15211$09dc51c0$0500a8c0@brockspc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Oct 2001 06:24:06 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <001101c15211$09dc51c0$0500a8c0@brockspc>, "Brock Kreiser" writes: > This is a multi-part message in MIME format. > Hey all, > > Let me start by saying im a new to fbsd but im learning fast:) im run = > 4.4-STABLE FreeBSD 4.4-STABLE #2: Tue Oct 9 09:44:05 EDT 2001 and want = > to no is how to configure this box to be a firewall with a way to have a = > ftp routed to another machine running win 2k on an internal network... = > Is there any good docs on this kind of setup? Any kind of help in the = > right direction would be greatly appreciated... FreeBSD comes with two firewalls, IPFW and IP Filter. Take a look at the ipf(1), ipnat(1), ipfw(8), and natd(8) man pages. Having said all that, you will have to seriously open your firewall in order to make FTP work properly through your firewall. Even if you restrict your FTP clients to using PORT (active) FTP, people can still use an FTP bounce to map or even gain access to other hosts and ports behind the firewall through your FTP server. These are two of the reasons I've been an advocate (on various mailing lists) of deprecating the FTP protocol. If you absolutely have to use the FTP protocol, put the FTP server on an external network or if you cannot do that on your DMZ. (I haven't even begun to talk about the various FTP server software vulnerabilities). If you still need to put an FTP server behind your firewall, you might be able to perform NAT using IP Filter's FTP proxy on the internal interface of your firewall. I haven't tried this, so I don't know whether it would work. Search the IP Filter mailing list archives at false.net for more info. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message