From owner-freebsd-ipfw Thu Apr 12 12:17:43 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id E405B37B446 for ; Thu, 12 Apr 2001 12:17:39 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id VAA74511; Thu, 12 Apr 2001 21:16:23 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200104121916.VAA74511@info.iet.unipi.it> Subject: Re: Beating a dead horse - ipfw and FTP In-Reply-To: <87puei53ud.fsf@pooh.honeypot> from Kirk Strauser at "Apr 12, 2001 02:13:14 pm" To: Kirk Strauser Date: Thu, 12 Apr 2001 21:16:23 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG we have stateful ipfw and passive ftp -- the combination of the two should give you the protection that you want. Am i wrong ? cheers luigi > I've read a lot of the mailing list archives regarding ipfw and FTP. The > basic consensus seems to be that FTP Is Bad and that it shouldn't be used. > OK, on a technical level, I agree. Unfortunately, it's still somewhat hard > to get away from. In particular, look at the FreeBSD ports system which > relies heavily on using FTP to fetch source tarballs - that alone is reason > enough for me to maintain usability for this antiquated protocol. Add in > the fact that I have several user workstations that periodically fetch files > (darn those Debian users :) ) and I'm pretty well stuck. > > So, has anyone agreed on a best-practices method of allowing outgoing FTP > connections through ipfw? It seems like the ideal would be for someone to > add an FTP method to ipfw's keep-state mechanism, but that doesn't seem to > exist right now. The next best solution, to me, would be an ipfw-aware FTP > proxy that can dynamically open and close ports. Does such a thing exist? > If so, and there are more than one, are any of them recommended? > > I'm thinking that a final last-ditch-effort solution would be to write a > two-part FTP proxy server so half of the server lives outside the firewall > and the other half is inside, and the two halves communicate via a secure > link. This might actually be a Good Thing, but darned if I'd even know > where to begin such a project. > -- > Kirk Strauser > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message