From owner-freebsd-security  Wed Dec 30 19:31:42 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA12183
          for freebsd-security-outgoing; Wed, 30 Dec 1998 19:31:42 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA12176
          for <freebsd-security@freebsd.org>; Wed, 30 Dec 1998 19:31:41 -0800 (PST)
          (envelope-from dean@thegrid.net)
Received: from thegrid.net (ppp-207-214-213-28.sntc01.pacbell.net [207.214.213.28]) by mail-gw.pacbell.net (8.8.8/8.7.1+antispam) with ESMTP id TAA29846; Wed, 30 Dec 1998 19:31:18 -0800 (PST)
Message-ID: <368AEEF5.B48E42D6@thegrid.net>
Date: Wed, 30 Dec 1998 19:26:45 -0800
From: Dean <dean@thegrid.net>
X-Mailer: Mozilla 4.04 [en] (Win95; U)
MIME-Version: 1.0
To: Scott Ullrich <sullrich@in-net.net>, freebsd-security@FreeBSD.ORG
Subject: Re: ipfw and ftp
References: <47C8D349258FD211B59B00A0C95531F31360@newman.cre8.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Scott Ullrich wrote:

> FTP's work transparently through the firewall without any problems.  The
> problem is incoming FTP, especially when you want to publish to an
> inside machine.  If you are only worried about ftping from your network
> then you should not have any problems.

I don't think that this is the case.  FTP requires two data connections.
Let's suppose that I'm on the inside of a packet filtering gateway and
want to make an outgoing ftp connection to somehost.com.  My client
would initiate a tcp connection to port 21 on somehost and give the ftp
server a random non-privileged port.  The somehost would then
INITIATE a tcp connection from port 20 to that random port on my
internal machine.  If I want to run a strict filtering gateway, then this
connection should be denied and the ftp would fail.  There is a passive
mode where the client instructs the server to pick a port and then the
client will initiate the outgoing connection.  Unfortunately, not all
clients support the pasv command and not all servers understand it.
    I will probably run some form of proxy server on the gateway machine.
Dean

>

> As far as DNS is concerned, I run 2 dns boxes.  The FIREWALL box is my
> outside DNS and a 386 is being used for inside queries.
>
> I have all of the client machines resolving to the inside DNS server
> which in turn forwards to the outside box if it cannot come up with the
> answer.  This setup has worked flawlessly for 2 years and I highly
> recommend it.  If you have any questions, I can be reached at
> sullrich@in-net.net.
>
> Take care and happy BSD'n!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message