From owner-freebsd-security  Thu Dec 21 12:16:44 2000
From owner-freebsd-security@FreeBSD.ORG  Thu Dec 21 12:16:41 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mail.gmx.net (pop.gmx.net [194.221.183.20])
	by hub.freebsd.org (Postfix) with SMTP id E361437B404
	for <freebsd-security@FreeBSD.ORG>; Thu, 21 Dec 2000 12:16:34 -0800 (PST)
Received: (qmail 20156 invoked by uid 0); 21 Dec 2000 20:16:33 -0000
Received: from p3ee2165e.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.94)
  by mail.gmx.net (mail10) with SMTP; 21 Dec 2000 20:16:33 -0000
Received: (from sittig@localhost)
	by speedy.gsinet (8.8.8/8.8.8) id VAA25124
	for freebsd-security@FreeBSD.ORG; Thu, 21 Dec 2000 21:14:16 +0100
Date: Thu, 21 Dec 2000 21:14:16 +0100
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: FTP and firewall
Message-ID: <20001221211416.V253@speedy.gsinet>
Mail-Followup-To: freebsd-security@FreeBSD.ORG
References: <200012201306.OAA00816@pps.de> <200012201323.KAA95716@ns1.via-net-works.net.ar>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <200012201323.KAA95716@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Wed, Dec 20, 2000 at 10:23:41AM -0300
Organization: System Defenestrators Inc.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Dec 20, 2000 at 10:23 -0300, Fernando Schapachnik wrote:
> 
> man ipf, and check:
> 
> http://www.obfuscation.org/ipf/ipf-howto.txt

This answer was a little terse. :)

Make sure to read "man -a ipf", since there is the IP stack
hookup code (4), the userland access tool (8), as well as the
configuration language (5).  Plus "man -a ipnat" for the
functionality (4), the command line tool (1), and the language
(5).

And make sure to look at the /usr/src/contrib/ipfilter/rules
examples.  Especially the ftp* files might be of interest for
you.  But then again having an example with a topology drawing
next to it might make it all *too* easy. :>

BTW:  You did read the /etc/defaults/rc.conf comments right next
to the ipfilter_* settings, didn't you?  Since you copied the
relevant ones over to /etc/rc.conf (and turned them on) ... :>

> ipfilter can do this in a much safer way than what I suggested
> there.

Yes.  The idea is to open the control connection only (port 21)
and have the proxy module handle the data connections on the fly.
No need to open up wide holes big enough to drive trucks through.


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message