Date: Fri, 22 Feb 2002 09:46:38 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Sandro Mancuso <sandro.m@videotron.ca> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Firewall stuff Message-ID: <20020222094638.C48401@blossom.cjclark.org> In-Reply-To: <000501c1bbbe$008151e0$6400a8c0@windows>; from sandro.m@videotron.ca on Fri, Feb 22, 2002 at 11:28:46AM -0500 References: <000501c1bbbe$008151e0$6400a8c0@windows>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 22, 2002 at 11:28:46AM -0500, Sandro Mancuso wrote:
> Hi guys, stupid question I think, as it relates to a windows feature put
> to use in FreeBSD, but I beg you not to bite my head off for this ;-)
>
> Once upon a time, I was using pcconseal firewall (its too bad its not
> around like it used to be, it was a pretty good windows firewall
> program). What I remember about it was that it used to "know" what
> programs were opening the ports in question.
Please note that a firewall could only possibly know what programs are
opening a port when the port is being opened by a program running on
the firewall. As for packets the firewall is forwarding for other
hosts, there is absolutely no way to know anything about the
application generating the packets except...
> Now I'm setting up a
> firewall on a gateway for my LAN. This sort of characteristic would be
> a great help, imho (of course I have more limited knowledge in UNIX),
> for properly allowing passive ftp transfers through. I'm messing with
> IPFilter at the moment, I'm wondering if there's a way, in FreeBSD for
> it (or any other firewalls?) to know what service is opening a port, so
> that it may be opened only for a particular service.
By looking at port numbers. For example, the ftp service is assigned
port 21/tcp for control connections. However, ftp requires connections
on other ports...
> Or is that
> something that should be defined within the ftpd itself (I'm not talking
> about setting a specific portrange for passive transfers... a little
> more than just that... making sure that only ftpd can use say ports
> 15000-19000 outbound)
And there things get sticky with ftp. Because it is pure evil and uses
other TCP connections, the only sure-fire way to get things to work is
to proxy the connections. That is, the firewall has to actually read
and understand data in the control stream to open up the correct
ports.
Luckily, ipf(8) has an ftp proxy built into ipnat(8).
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020222094638.C48401>