From owner-freebsd-net Tue Apr 9 12:59:44 2002 Delivered-To: freebsd-net@freebsd.org Received: from enterprise.francisscott.net (enterprise.francisscott.net [64.81.95.235]) by hub.freebsd.org (Postfix) with ESMTP id D886037B404; Tue, 9 Apr 2002 12:59:28 -0700 (PDT) Received: from cobalt.heavymetal.org (cobalt.heavymetal.org [64.81.95.242]) by enterprise.francisscott.net (Postfix) with ESMTP id 8FFF656E3; Tue, 9 Apr 2002 12:59:28 -0700 (PDT) Date: Tue, 9 Apr 2002 12:59:24 -0700 From: Scott Lampert To: freebsd-security@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: IPFW bridges and, woe is me, ftp Message-Id: <20020409125924.365286ca.scott@lampert.org> X-Mailer: Sylpheed version 0.7.4claws (GTK+ 1.2.10; i386-portbld-freebsd4.5) X-Operating-System: FreeBSD4 Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.tt8YAKaqlkSU3O" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.tt8YAKaqlkSU3O Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit (If this shouldn't be on -net please accept my apologies. It seemed all the networking gurus are there and this sort of overlaps onto that subject.) I have a 4.5 release box that is acting as a bridging firewall with ipfw for an internet connected network and I'm having some issues with ftp (as usual). This network is NOT nat routed; the network has a real IP block. Using keep-state and tcp established rules the best I can come up with is to allow active ftp in and passive ftp out with the following three rules: add check-state add pass tcp from any to any established add pass tcp from any to ${ftphost} 21 in via ${OIF} setup keep-state All internal hosts can initiate connections to outside hosts at will. This sort of leaves anyone who needs to ftp into this network from behind their own firewall with a passive connection totally out of luck. The only functional solution to handle incoming passive connections seems to be to open up a range of ports which I'd prefer not to do for obvious reasons. I'd love to ditch ipfw and use ipfilter but that is not supported for bridging with FreeBSD unfortunately. OpenBSD is not an option on this box either as it has an old mylex raid controller that is unsupported by that OS. A quick scan of the archives seems to only address the issue with nat firewalls using natd and divert sockets. On that note, I had a quick look through the natd man page to see if I could set it up to just look at ftp connections and not actually do any network translations. Basically I just want it for its punchfw functionality and just for ftp connections. Is this even possible? I'm going to experiment with this today and I was hoping that someone might be able to give me a little guidance to save me some time and possibly fruitless efforts. If there are alternative and/or better ways of doing this I'd love to hear from someone. I know Crist J. Clark had an unofficial and unsupported patch to make ipfilter work with bridging on 4.x, but I'd prefer not to become dependant on something that won't be official until 5.0 comes out if I can avoid it. Thanks! -Scott -- Scott Lampert "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/lampert.key --=.tt8YAKaqlkSU3O Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8s0ggSVL3/uWE7xYRAntdAJ42o+x4wDRTB9mWjdv2Qrmh1nxmCACcCC8I ZdJ3W61KaYitc4QRSG+XZbs= =emxC -----END PGP SIGNATURE----- --=.tt8YAKaqlkSU3O-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message