From owner-freebsd-hackers  Tue Jan  8 17:15:11 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from jhs.muc.de (jhs.muc.de [193.149.49.84])
	by hub.freebsd.org (Postfix) with ESMTP id 159BA37B419
	for <hackers@freebsd.org>; Tue,  8 Jan 2002 17:15:02 -0800 (PST)
Received: from park.jhs.private (localhost [127.0.0.1])
	by jhs.muc.de (8.11.0/8.11.0) with ESMTP id g091BBn49734;
	Wed, 9 Jan 2002 01:11:12 GMT
	(envelope-from jhs@park.jhs.private)
Message-Id: <200201090111.g091BBn49734@jhs.muc.de>
To: Terry Lambert <tlambert2@mindspring.com>
Cc: hackers@freebsd.org
Subject: Re: Which ftpd for proxy ? 
In-Reply-To: Message from Terry Lambert <tlambert2@mindspring.com> 
   of "Tue, 08 Jan 2002 19:59:17 +0100." <3C3B4185.517C8BC7@mindspring.com> 
Date: Wed, 09 Jan 2002 02:11:11 +0100
From: Julian Stacey <jhs@jhs.muc.de>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Terry Lambert wrote:
> Julian Stacey wrote:
> > Hi all,
> > Any reccomendations what to install (or avoid) on my firewall,
> > from 4.4 /usr/ports/ftp/ to be a proxy ftpd server ?
> 
> man libalias
> 
> Then install natd.

I don't believe that's the solution I'm looking for.  I may be
wrong, or things may have changed, but when I built my firewall a
few years back I was under the strong impression that NAT was a
poor man's cheap & dirty insecure replacement for a proper firewall ?

I don't want to secure all my internal hosts, I just want the gate
to be secure.  I went to the effort of doing the thing right,
building all the ipfw rules, getting internal & external named
roughly right, getting sendmails on gate & internals to forward
(OK, incoming is OK, but I admit outgoing is not yet right), getting
apache reconfig'd to support proxying (it didnt used to, might now
by default, can't remember), ftp proxy is about the last thing.
I'm not be convinced it'd be worth tossing all that work & putting
in a NATD security loophole ?

I suppose folks on security@freebsd.org might know more about
ipfw + proxies V. NAT,
but I wasnt really asking to discuss that,
I was asking for reccomendations on proxying ftpd's.

Julian
J.Stacey	Munich Unix (FreeBSD, Linux etc) Independent Consultant
 Reduce costs to secure jobs: Use free software: http://bim.bsn.com/~jhs/free/
 Ihr Rauchen = mein allergischer Kopfschmerz !  Schnupftabak probieren !

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message