Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Dec 2001 15:31:58 +0200
From:      Johann Botha <joe@frogfoot.net>
To:        apache@ukr.net
Cc:        freebsd-isp@freebsd.org
Subject:   Re: firewall + ftp
Message-ID:  <20011217133158.GB30894@blue.frogfoot.net>
In-Reply-To: <20011217131602.A1843@unixbox.office.annaltd.com>
References:  <20011217131602.A1843@unixbox.office.annaltd.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Hi apache!

> I am aranging firewall in my office network connected to Internet via dedicated
> line. I wanna close everything but HTTP, SMTP, SSH and FTP from internal
> network. The problem is FTP. I wanna make uploads/downloads to Internet hosts
> via ftp.
> 
> What can i do with data ports?
> Are there any solutions or start points for me (ftp proxy, etc.)?

man natd
------------< snip <------< snip <------< snip <------------
     -punch_fw basenumber:count
                 This option directs natd to `punch holes'' in an
                 ipfirewall(4) based firewall for FTP/IRC DCC connections.
                 This is done dynamically by installing temporary firewall
                 rules which allow a particular connection (and only that con-
                 nection) to go through the firewall.  The rules are removed
                 once the corresponding connection terminates.		 
------------< snip <------< snip <------< snip <------------

but.. i could not get this to work, imho natd is broken. (in 4.3 anyway)

so now i use jftpgw: http://www.mcknight.de/jftpgw/features.html

eg.
------------< snip <------< snip <------< snip <------------
   # Transparent Proxy for FTP
     fwd 66.8.1.1,2370 tcp from 66.8.1.48/29 to any 21 in recv ed1   
------------< snip <------< snip <------< snip <------------

and then just allow "1025-65535 to any 21" on the firewall's IP.

..or use IPF's NAT:  http://coombs.anu.edu.au/~avalon/ip-filter.html

-- 
Regards
Johann

  "FreD is not dead"
        - echo $(uname) is not dead | sed "s/eBS//"
_________________________________________________________
 Johann L. Botha          Debian GNU Jedi: joe@debian.org
 
    email: joe@frogfoot.net      snail mail: PO Box 3472
   mobile: +27 82 5626 167                   Matieland
 workpage: http://www.frogfoot.net           Stellenbosch
 homepage: http://blue.frogfoot.net          7602
      gps: 33deg 56.09S, 18deg 25.31E, 64m   South Africa
      ham: ZR1JOE

Copyright (c) 2001. The Sovereigns of Frogfoot. All rights reserved.
Disclaimer available upon request.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011217133158.GB30894>