Date: Wed, 30 Dec 1998 19:26:45 -0800 From: Dean <dean@thegrid.net> To: Scott Ullrich <sullrich@in-net.net>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and ftp Message-ID: <368AEEF5.B48E42D6@thegrid.net> References: <47C8D349258FD211B59B00A0C95531F31360@newman.cre8.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Scott Ullrich wrote: > FTP's work transparently through the firewall without any problems. The > problem is incoming FTP, especially when you want to publish to an > inside machine. If you are only worried about ftping from your network > then you should not have any problems. I don't think that this is the case. FTP requires two data connections. Let's suppose that I'm on the inside of a packet filtering gateway and want to make an outgoing ftp connection to somehost.com. My client would initiate a tcp connection to port 21 on somehost and give the ftp server a random non-privileged port. The somehost would then INITIATE a tcp connection from port 20 to that random port on my internal machine. If I want to run a strict filtering gateway, then this connection should be denied and the ftp would fail. There is a passive mode where the client instructs the server to pick a port and then the client will initiate the outgoing connection. Unfortunately, not all clients support the pasv command and not all servers understand it. I will probably run some form of proxy server on the gateway machine. Dean > > As far as DNS is concerned, I run 2 dns boxes. The FIREWALL box is my > outside DNS and a 386 is being used for inside queries. > > I have all of the client machines resolving to the inside DNS server > which in turn forwards to the outside box if it cannot come up with the > answer. This setup has worked flawlessly for 2 years and I highly > recommend it. If you have any questions, I can be reached at > sullrich@in-net.net. > > Take care and happy BSD'n! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?368AEEF5.B48E42D6>