Date: Sat, 15 Jun 2002 17:44:26 -0700 (PDT) From: "Nielsen" <nielsen@memberwebs.com> To: "John Newlin" <jnewlin@tsoft.com>, <freebsd-questions@freebsd.org> Subject: Re: natd, ipfw, ipsec, upd and ftp questions Message-ID: <20020616004426.262DB37B420@hub.freebsd.org> References: <200206151938.MAA26712@shell.tsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You have to proxy your ftp connections. I know ipnat (the NAT that comes with ipf) does this. I'm not sure about natd.... Actually after looking at it, the option 'punch_fw' in natd seems to do just that. Take a look. > ftp does not work from the internal net, except in passive mode. What is the magik > required to make ftp work? As long as you are connecting to others and not vice versa then keep-state rules will do the trick even for UDP. No open ports needed. > I play games that open up upd connections. I want to open up the minimum number > of UPD sockets. Is the proper thing to do to allow incoming UPD on the > portrange specified in: I've always assumed this was safe. At least for ESP and AH. ESP is processed by the kernel, and won't be processed unless it matches a proper SAD entry. Someone correct me if I'm wrong here, but suprious or malicious ESP packets won't (or shouldn't provided there are no bugs) pose a security problem. > I have an IPSec client on my internal Windows machine that I use to connect > to my office. I added the following ruleset: > > ipfw add allow esp from any to any > ipfw add allow gre from any to any > ipfw add allow ah from any to any > > Is this safe, or is there a way to tighten that up? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020616004426.262DB37B420>