Date: Sat, 17 Nov 2001 12:23:40 +1100 From: "Chris Knight" <chris@aims.com.au> To: <cjclark@alum.mit.edu> Cc: <freebsd-ipfw@FreeBSD.ORG> Subject: RE: Stateful Rules and FTP Message-ID: <00fb01c16f06$7e1c10e0$020aa8c0@aims.private> In-Reply-To: <20011116171015.G50971@blossom.cjclark.org>
index | next in thread | previous in thread | raw e-mail
Howdy, > -----Original Message----- > From: Crist J. Clark [mailto:cristjc@earthlink.net] > Sent: Saturday, 17 November 2001 12:10 > To: Chris Knight > Cc: 'Konstantin'; freebsd-ipfw@FreeBSD.ORG > Subject: Re: Stateful Rules and FTP > > > On Sat, Nov 17, 2001 at 12:02:59PM +1100, Chris Knight wrote: > > I realised that it was active FTP. I can see with the above > > rules that a bounce attack could occur against any of the DMZ > > machines, but I can't think of other security issues, unless > > I stuff up the config of the internal FTP server. > > You can also bounce attack anything inside the firewall. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > I'd thought of that, and have a set of rules on the FTP server to only allow ftp data connections out to the DMZ subnet. The FTP server has no need to service any other FTP clients other than the DMZ subnet. Am I missing anything else, or does that just about cover it? Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the messagehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00fb01c16f06$7e1c10e0$020aa8c0>