Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Apr 2002 12:59:24 -0700
From:      Scott Lampert <scott@lampert.org>
To:        freebsd-security@FreeBSD.org
Cc:        freebsd-net@FreeBSD.org
Subject:   IPFW bridges and, woe is me, ftp
Message-ID:  <20020409125924.365286ca.scott@lampert.org>

next in thread | raw e-mail | index | archive | help
--=.tt8YAKaqlkSU3O
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

(If this shouldn't be on -net please accept my apologies.  It seemed all the
networking gurus are there and this sort of overlaps onto that subject.)

I have a 4.5 release box that is acting as a bridging firewall with ipfw
for an internet connected network and I'm having some issues with ftp
(as usual).  This network is NOT nat routed; the network has a real IP
block.  Using keep-state and tcp established rules the best I can come
up with is to allow active ftp in and passive ftp out with the following
three rules:

add check-state
add pass tcp from any to any established
add pass tcp from any to ${ftphost} 21 in via ${OIF} setup keep-state

All internal hosts can initiate connections to outside hosts at will.

This sort of leaves anyone who needs to ftp into this network from behind
their own firewall with a passive connection totally out of luck.  The
only functional solution to handle incoming passive connections seems to
be to open up a range of ports which I'd prefer not to do for obvious
reasons.

I'd love to ditch ipfw and use ipfilter but that is not supported for
bridging with FreeBSD unfortunately.  OpenBSD is not an option on this
box either as it has an old mylex raid controller that is unsupported by
that OS.

A quick scan of the archives seems to only address the issue with nat
firewalls using natd and divert sockets.  On that note, I had a quick
look through the natd man page to see if I could set it up to just look
at ftp connections and not actually do any network translations.
Basically I just want it for its punchfw functionality and just for ftp
connections.  Is this even possible?  I'm going to experiment with this
today and I was hoping that someone might be able to give me a little
guidance to save me some time and possibly fruitless efforts.

If there are alternative and/or better ways of doing this I'd love to
hear from someone.  I know Crist J. Clark had an unofficial and
unsupported patch to make ipfilter work with bridging on 4.x, but I'd
prefer not to become dependant on something that won't be official until
5.0 comes out if I can avoid it.

Thanks!
	-Scott

-- 
Scott Lampert
<scott@lampert.org>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, 1759

Public Key: http://www.lampert.org/lampert.key

--=.tt8YAKaqlkSU3O
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)

iD8DBQE8s0ggSVL3/uWE7xYRAntdAJ42o+x4wDRTB9mWjdv2Qrmh1nxmCACcCC8I
ZdJ3W61KaYitc4QRSG+XZbs=
=emxC
-----END PGP SIGNATURE-----

--=.tt8YAKaqlkSU3O--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020409125924.365286ca.scott>