From owner-freebsd-security  Sat Apr  1 16:12: 2 2000
Delivered-To: freebsd-security@freebsd.org
Received: from w2xo.pgh.pa.us (ipl-229-039.npt-sdsl.stargate.net [208.223.229.39])
	by hub.freebsd.org (Postfix) with ESMTP id 489A337BD0A
	for <security@FreeBSD.ORG>; Sat,  1 Apr 2000 16:11:59 -0800 (PST)
	(envelope-from durham@w2xo.pgh.pa.us)
Received: from w2xo.pgh.pa.us (shazam.w2xo.pgh.pa.us [192.168.5.3])
	by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id AAA98296;
	Sun, 2 Apr 2000 00:11:54 GMT
	(envelope-from durham@w2xo.pgh.pa.us)
Message-ID: <38E69050.362142E3@w2xo.pgh.pa.us>
Date: Sat, 01 Apr 2000 19:12:00 -0500
From: Jim Durham <durham@w2xo.pgh.pa.us>
Organization: dis-
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Roger Marquis <marquis@roble.com>
Cc: security@FreeBSD.ORG
Subject: Re: FTP with firewall rules
References: <Pine.GSO.3.96.1000401104013.26600C-100000@roble2.roble.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Roger Marquis wrote:
> 
> > Passive mode makes things like building ports difficult.
> 
> Try adding this to /etc/make.conf:
> 
>         FTP_PASSIVE_MODE=YES
>         FETCH_BEFORE_ARGS=-p
> 
> --
>
This is a good tip. Thanks. I will probably do this, but I was
just hoping that a someone  had a rule set that would
be relatively secure (I realize there is no absolute here).

About all I've been able to accomplish is to put the rule late
in the rule set so that a lot of things are disallowed before
hand.


Jim Durham


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message