Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 Dec 2000 21:14:16 +0100
From:      Gerhard Sittig <Gerhard.Sittig@gmx.net>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: FTP and firewall
Message-ID:  <20001221211416.V253@speedy.gsinet>
In-Reply-To: <200012201323.KAA95716@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Wed, Dec 20, 2000 at 10:23:41AM -0300
References:  <200012201306.OAA00816@pps.de> <200012201323.KAA95716@ns1.via-net-works.net.ar>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Dec 20, 2000 at 10:23 -0300, Fernando Schapachnik wrote:
> 
> man ipf, and check:
> 
> http://www.obfuscation.org/ipf/ipf-howto.txt

This answer was a little terse. :)

Make sure to read "man -a ipf", since there is the IP stack
hookup code (4), the userland access tool (8), as well as the
configuration language (5).  Plus "man -a ipnat" for the
functionality (4), the command line tool (1), and the language
(5).

And make sure to look at the /usr/src/contrib/ipfilter/rules
examples.  Especially the ftp* files might be of interest for
you.  But then again having an example with a topology drawing
next to it might make it all *too* easy. :>

BTW:  You did read the /etc/defaults/rc.conf comments right next
to the ipfilter_* settings, didn't you?  Since you copied the
relevant ones over to /etc/rc.conf (and turned them on) ... :>

> ipfilter can do this in a much safer way than what I suggested
> there.

Yes.  The idea is to open the control connection only (port 21)
and have the proxy module handle the data connections on the fly.
No need to open up wide holes big enough to drive trucks through.


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001221211416.V253>