From owner-freebsd-questions Fri Feb 22 15: 5:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from falla.videotron.net (falla.videotron.net [205.151.222.106]) by hub.freebsd.org (Postfix) with ESMTP id 7D7BA37B400; Fri, 22 Feb 2002 15:05:37 -0800 (PST) Received: from windows ([24.201.83.93]) by falla.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0GRY00I0HITB0G@falla.videotron.net>; Fri, 22 Feb 2002 18:05:35 -0500 (EST) Date: Fri, 22 Feb 2002 18:05:37 -0500 From: Sandro Mancuso Subject: RE: Firewall stuff In-reply-to: <20020222094638.C48401@blossom.cjclark.org> To: "'Crist J. Clark'" Cc: freebsd-questions@FreeBSD.ORG Message-id: <000501c1bbf5$709725e0$6400a8c0@windows> MIME-version: 1.0 X-Mailer: Microsoft Outlook, Build 10.0.2616 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: quoted-printable Importance: Normal X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Priority: 3 (Normal) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I see.. thanks. I knew about that proxy line for ipnat, but I didn't know enough about it to know that it would allow connections on ports typically greater than 1023 (passive ftp) to be allowed through without making explicit rules to that effect in ipf.rules. Looking forward to seeing how that comes along. =20 thanks > -----Original Message----- > From: Crist J. Clark [mailto:cjc@FreeBSD.ORG] > Sent: February 22, 2002 12:47 PM > To: Sandro Mancuso > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: Firewall stuff >=20 > On Fri, Feb 22, 2002 at 11:28:46AM -0500, Sandro Mancuso wrote: > > Hi guys, stupid question I think, as it relates to a windows > feature put > > to use in FreeBSD, but I beg you not to bite my head off for this > ;-) > > > > Once upon a time, I was using pcconseal firewall (its too bad its > not > > around like it used to be, it was a pretty good windows firewall > > program). What I remember about it was that it used to "know" > what > > programs were opening the ports in question. >=20 > Please note that a firewall could only possibly know what programs > are > opening a port when the port is being opened by a program running on > the firewall. As for packets the firewall is forwarding for other > hosts, there is absolutely no way to know anything about the > application generating the packets except... >=20 > > Now I'm setting up a > > firewall on a gateway for my LAN. This sort of characteristic > would be > > a great help, imho (of course I have more limited knowledge in > UNIX), > > for properly allowing passive ftp transfers through. I'm messing > with > > IPFilter at the moment, I'm wondering if there's a way, in FreeBSD > for > > it (or any other firewalls?) to know what service is opening a > port, so > > that it may be opened only for a particular service. >=20 > By looking at port numbers. For example, the ftp service is assigned > port 21/tcp for control connections. However, ftp requires > connections > on other ports... >=20 > > Or is that > > something that should be defined within the ftpd itself (I'm not > talking > > about setting a specific portrange for passive transfers... a > little > > more than just that... making sure that only ftpd can use say > ports > > 15000-19000 outbound) >=20 > And there things get sticky with ftp. Because it is pure evil and > uses > other TCP connections, the only sure-fire way to get things to work > is > to proxy the connections. That is, the firewall has to actually read > and understand data in the control stream to open up the correct > ports. >=20 > Luckily, ipf(8) has an ftp proxy built into ipnat(8). > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message