From owner-freebsd-security  Tue Sep 21  0: 7:39 1999
Delivered-To: freebsd-security@freebsd.org
Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.128.198])
	by hub.freebsd.org (Postfix) with ESMTP
	id D2E2A14C0E; Tue, 21 Sep 1999 00:07:35 -0700 (PDT)
	(envelope-from brian@Awfulhak.org)
Received: from keep.lan.Awfulhak.org (root@localhost [127.0.0.1])
	by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id IAA27477;
	Tue, 21 Sep 1999 08:07:34 +0100 (BST)
	(envelope-from brian@Awfulhak.org)
Received: from keep.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1])
	by keep.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id HAA00563;
	Tue, 21 Sep 1999 07:29:42 +0100 (BST)
	(envelope-from brian@keep.lan.Awfulhak.org)
Message-Id: <199909210629.HAA00563@keep.lan.Awfulhak.org>
X-Mailer: exmh version 2.0.2 2/24/98
To: Eivind Eklund <eivind@FreeBSD.ORG>
Cc: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG
Subject: Re: Best way to do FTP with NAT and firewall? 
In-reply-to: Your message of "Mon, 20 Sep 1999 16:27:42 +0200."
             <19990920162742.A12619@bitbox.follo.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 21 Sep 1999 07:29:40 +0100
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> On Fri, Sep 17, 1999 at 09:16:11AM -0600, Brett Glass wrote:
> > I've just set up a firewall for a client using ipfw and natd. Trouble is, his software seems to be particularly insistent on doing active, rather than passive, FTP. This poses a problem, of course, because a remote system can't open just data sockets to one behind the firewall due to NAT.
> > 
> > I've worked with plenty of commercial firewalls that monitor FTP control connections and spoof the port number for the data sockets. SLiRP does it; so, apparently, does the pppd that comes with FreeBSD. But I can't find any documented way to do it with ipfw and natd.
> > 
> > Are there undocumented commands to accomplish this?
> 
> Using the hooks I added to libalias to accomplish this.  That would,
> however, require some small mods to the natd code (about 20-50 lines,
> I guess).
[.....]

Something like src/lib/libalias/alias_ftp.c ?  Am I missing 
something ?

> Eivind.

-- 
Brian <brian@Awfulhak.org>                        <brian@FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@OpenBSD.org>
Don't _EVER_ lose your sense of humour !          <brian@FreeBSD.org.uk>




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message