From owner-freebsd-security  Sat Sep 25 14:45:23 1999
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id 1E4CB14E36
	for <freebsd-security@FreeBSD.ORG>; Sat, 25 Sep 1999 14:45:20 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id PAA13845;
	Sat, 25 Sep 1999 15:27:05 -0600 (MDT)
Message-Id: <4.2.0.58.19990925150438.047285f0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Sat, 25 Sep 1999 15:07:15 -0600
To: Harold Gutch <logix@foobar.franken.de>,
	Nate Williams <nate@mt.sri.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: default rc.firewall
Cc: Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG
In-Reply-To: <19990925125108.A13871@foobar.franken.de>
References: <4.2.0.58.19990924113626.0480db00@localhost>
 <4.2.0.58.19990924111600.04809a90@localhost>
 <3.0.5.32.19990923152232.007c94c0@memes.com>
 <4.2.0.58.19990924111600.04809a90@localhost>
 <199909241733.LAA27644@mt.sri.com>
 <4.2.0.58.19990924113626.0480db00@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 12:51 PM 9/25/99 +0200, Harold Gutch wrote:

>But in this case you don't want to allow SYN-Packets coming from
>the inside with *source* port 80, but with *destination* port 80.
>
>Instead of
>
>      $fwcmd add pass tcp from ${oip} 80 to any setup          
>
>you'd want
>
>      $fwcmd add pass tcp from ${oip} to any 80 setup


Thank you for catching that typo! Yes, when you're going outward,
you want to go TO port 80.

A proxy would be a good way to go for HTTP in particular, but
I'm not sure where one would get one for other protocols. Most
of the stand-alone FTP proxies out there seem fairly weak. I've
heard that there's at least one firewall program with FTP proxying
built in, but I haven't tried it.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message