Date: Tue, 21 Sep 1999 12:28:05 +0200 From: Eivind Eklund <eivind@FreeBSD.ORG> To: Brian Somers <brian@Awfulhak.org> Cc: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG Subject: Re: Best way to do FTP with NAT and firewall? Message-ID: <19990921122805.H12619@bitbox.follo.net> In-Reply-To: <199909210629.HAA00563@keep.lan.Awfulhak.org>; from Brian Somers on Tue, Sep 21, 1999 at 07:29:40AM %2B0100 References: <19990920162742.A12619@bitbox.follo.net> <199909210629.HAA00563@keep.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 21, 1999 at 07:29:40AM +0100, Brian Somers wrote: > > On Fri, Sep 17, 1999 at 09:16:11AM -0600, Brett Glass wrote: > > > I've just set up a firewall for a client using ipfw and natd. Trouble is, his software seems to be particularly insistent on doing active, rather than passive, FTP. This poses a problem, of course, because a remote system can't open just data sockets to one behind the firewall due to NAT. > > > > > > I've worked with plenty of commercial firewalls that monitor FTP control connections and spoof the port number for the data sockets. SLiRP does it; so, apparently, does the pppd that comes with FreeBSD. But I can't find any documented way to do it with ipfw and natd. > > > > > > Are there undocumented commands to accomplish this? > > > > Using the hooks I added to libalias to accomplish this. That would, > > however, require some small mods to the natd code (about 20-50 lines, > > I guess). > [.....] > > Something like src/lib/libalias/alias_ftp.c ? Am I missing > something ? I'm assuming he doesn't want to open his firewall in its entirety. The only way to avoid that is by only opening for those connections. The only way to do that is to hook into the NAT code. I have done that, and committed the code to FreeBSD, but none of the public FreeBSD tools has seen fit to use the hooks :-( Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990921122805.H12619>