From owner-freebsd-security  Tue Sep 21  3:28:13 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
	by hub.freebsd.org (Postfix) with ESMTP id 2735B14C3A
	for <security@FreeBSD.ORG>; Tue, 21 Sep 1999 03:28:06 -0700 (PDT)
	(envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.3/8.9.3) with ESMTP id MAA25430;
	Tue, 21 Sep 1999 12:28:05 +0200 (CEST)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id MAA46089;
	Tue, 21 Sep 1999 12:28:05 +0200 (MET DST)
Date: Tue, 21 Sep 1999 12:28:05 +0200
From: Eivind Eklund <eivind@FreeBSD.ORG>
To: Brian Somers <brian@Awfulhak.org>
Cc: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG
Subject: Re: Best way to do FTP with NAT and firewall?
Message-ID: <19990921122805.H12619@bitbox.follo.net>
References: <19990920162742.A12619@bitbox.follo.net> <199909210629.HAA00563@keep.lan.Awfulhak.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <199909210629.HAA00563@keep.lan.Awfulhak.org>; from Brian Somers on Tue, Sep 21, 1999 at 07:29:40AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Sep 21, 1999 at 07:29:40AM +0100, Brian Somers wrote:
> > On Fri, Sep 17, 1999 at 09:16:11AM -0600, Brett Glass wrote:
> > > I've just set up a firewall for a client using ipfw and natd. Trouble is, his software seems to be particularly insistent on doing active, rather than passive, FTP. This poses a problem, of course, because a remote system can't open just data sockets to one behind the firewall due to NAT.
> > > 
> > > I've worked with plenty of commercial firewalls that monitor FTP control connections and spoof the port number for the data sockets. SLiRP does it; so, apparently, does the pppd that comes with FreeBSD. But I can't find any documented way to do it with ipfw and natd.
> > > 
> > > Are there undocumented commands to accomplish this?
> > 
> > Using the hooks I added to libalias to accomplish this.  That would,
> > however, require some small mods to the natd code (about 20-50 lines,
> > I guess).
> [.....]
> 
> Something like src/lib/libalias/alias_ftp.c ?  Am I missing 
> something ?

I'm assuming he doesn't want to open his firewall in its entirety.
The only way to avoid that is by only opening for those connections.
The only way to do that is to hook into the NAT code.  I have done
that, and committed the code to FreeBSD, but none of the public
FreeBSD tools has seen fit to use the hooks :-(

Eivind.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message