From owner-freebsd-questions  Sat Jun 15 17:44:32 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.npubs.com (npubs.com [207.111.208.224])
	by hub.freebsd.org (Postfix) with ESMTP id 262DB37B420
	for <freebsd-questions@freebsd.org>; Sat, 15 Jun 2002 17:44:26 -0700 (PDT)
Received: 8.12.2-(Neptune)
From: "Nielsen" <nielsen@memberwebs.com>
To: "John Newlin" <jnewlin@tsoft.com>,
	<freebsd-questions@freebsd.org>
References: <200206151938.MAA26712@shell.tsoft.com>
Subject: Re: natd, ipfw, ipsec, upd  and ftp questions
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20020616004426.262DB37B420@hub.freebsd.org>
Date: Sat, 15 Jun 2002 17:44:26 -0700 (PDT)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

You have to proxy your ftp connections. I know ipnat (the NAT that comes
with ipf) does this. I'm not sure about natd.... Actually after looking at
it, the option 'punch_fw' in natd seems to do just that. Take a look.

>   ftp does not work from the internal net, except in passive mode.  What
is the magik
>   required to make ftp work?

As long as you are connecting to others and not vice versa then keep-state
rules will do the trick even for UDP. No open ports needed.

>   I play games that open up upd connections.  I want to open up the
minimum number
>   of UPD sockets.  Is the proper thing to do to allow incoming UPD on the
>   portrange specified in:

I've always assumed this was safe. At least for ESP and AH. ESP is processed
by the kernel, and won't be processed unless it matches a proper SAD entry.
Someone correct me if I'm wrong here, but suprious or malicious ESP packets
won't (or shouldn't provided there are no bugs) pose a security problem.

>   I have an IPSec client on my internal Windows machine that I use to
connect
>   to my office.  I added the following ruleset:
>
>    ipfw add allow esp from any to any
>    ipfw add allow gre from any to any
>    ipfw add allow ah  from any to any
>
> Is this safe, or is there a way to tighten that up?

Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message