Date: Sat, 25 Sep 1999 15:07:15 -0600 From: Brett Glass <brett@lariat.org> To: Harold Gutch <logix@foobar.franken.de>, Nate Williams <nate@mt.sri.com> Cc: Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall Message-ID: <4.2.0.58.19990925150438.047285f0@localhost> In-Reply-To: <19990925125108.A13871@foobar.franken.de> References: <4.2.0.58.19990924113626.0480db00@localhost> <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <4.2.0.58.19990924111600.04809a90@localhost> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost>
index | next in thread | previous in thread | raw e-mail
At 12:51 PM 9/25/99 +0200, Harold Gutch wrote:
>But in this case you don't want to allow SYN-Packets coming from
>the inside with *source* port 80, but with *destination* port 80.
>
>Instead of
>
> $fwcmd add pass tcp from ${oip} 80 to any setup
>
>you'd want
>
> $fwcmd add pass tcp from ${oip} to any 80 setup
Thank you for catching that typo! Yes, when you're going outward,
you want to go TO port 80.
A proxy would be a good way to go for HTTP in particular, but
I'm not sure where one would get one for other protocols. Most
of the stand-alone FTP proxies out there seem fairly weak. I've
heard that there's at least one firewall program with FTP proxying
built in, but I haven't tried it.
--Brett
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19990925150438.047285f0>