From owner-freebsd-security Wed Dec 20 5:23:43 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 05:23:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 588F337B400 for ; Wed, 20 Dec 2000 05:23:39 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA95716; Wed, 20 Dec 2000 10:23:42 -0300 (ART) From: Fernando Schapachnik Message-Id: <200012201323.KAA95716@ns1.via-net-works.net.ar> Subject: Re: FTP and firewall In-Reply-To: <200012201306.OAA00816@pps.de> "from Peter Ross at Dec 20, 2000 02:06:34 pm" To: Peter Ross Date: Wed, 20 Dec 2000 10:23:41 -0300 (ART) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org man ipf, and check: http://www.obfuscation.org/ipf/ipf-howto.txt ipfilter can do this in a much safer way than what I suggested there. Regards. En un mensaje anterior, Peter Ross escribió: > Hello, > > I'm listen here and hope for answers. Sorry for my English. My girlfriend > did some remarks.. > > I found these mails discussing the same problem: > > ( http://docs.freebsd.org/mail/archive/2000/freebsd-security/20000402.freebsd-security.html > ) > > Paul Hart wrote: > > > On Wed, 29 Mar 2000, Alan Batie wrote: > > > > > To do active mode ftp properly, ipfw would need to parse the contents > > > of the packets on the ftp control channel and dynamically allow the > > > corresponding incoming connection. There's no indication that this > > > parsing capability is present. > > > > I know we're talking about IPFW here, but hasn't IP Filter (also included > > with FreeBSD) been supporting this very operation for quite a while now? > > I checked the man page again but I can't see it. > > And Fernando Schapachnik wrote: > > > What I have done is to configure FTPd to use ports between 40000 and > > 44999 (wu-ftpd allows it to be done easily; don't know others) and then: > > > allow tcp from any to my_ip 40000-44999 in setup > > > It's not the best, but still better than nothing. > > But what's the best? > > Peter Ross > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message