From owner-freebsd-security  Mon Jun 12  3:26:41 2000
Delivered-To: freebsd-security@freebsd.org
Received: from hormann.tzo.cc (cvg-29-15-234.cinci.rr.com [24.29.15.234])
	by hub.freebsd.org (Postfix) with ESMTP id D28CE37B881
	for <security@FreeBSD.ORG>; Mon, 12 Jun 2000 03:26:35 -0700 (PDT)
	(envelope-from ghormann@alumni.indiana.edu)
Received: from localhost (ghormann@localhost)
	by hormann.tzo.cc (8.9.3/8.9.3) with ESMTP id GAA01714;
	Mon, 12 Jun 2000 06:29:22 -0400 (EDT)
	(envelope-from ghormann@alumni.indiana.edu)
X-Authentication-Warning: hormann.tzo.cc: ghormann owned process doing -bs
Date: Mon, 12 Jun 2000 06:29:21 -0400 (EDT)
From: Greg Hormann <ghormann@alumni.indiana.edu>
X-Sender: ghormann@hormann.tzo.cc
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc: security@FreeBSD.ORG
Subject: Re: Setting up simple firewall with ipfw 
In-Reply-To: <200006111721.e5BHLiX06847@cwsys.cwsent.com>
Message-ID: <Pine.BSF.4.05.10006120627410.1712-100000@hormann.tzo.cc>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Thanks.  The FTP port was just to see if I could get it to work.  Once I
got it working, I shut it down.

Greg.

> 
> I'm not sure what you're trying to accomplish here -- the 22/udp is 
> confusing, unless you want to allow PC Anywhere through.
> 
> The FTP protocol is an abortion.  You have a choice of passive or PORT 
> FTP.  Depending on the direction you will require opening up your 
> firewall to the world or the worlds firewalls need to be opened up to 
> FTP to you.  In my IPFW and ipchains firewalls I specify that my users 
> behind those firewall must use passive FTP as clients to get out.  As 
> FTP servers are a security risk I usually put them on a DMZ or exterior 
> network.
> 
> A packet filter with an FTP application proxy might let you have the 
> best of both worlds.  It just happens that IP Filter comes with FreeBSD 
> as well.  Even then, running an world accessible FTP server behind your 
> firewall, IMO, is a still big risk, unless you're offering services to 
> customers behind your firewall who themselves are also behind another 
> firewall, onion ring approach of firewalls within firewalls within 
> firewalls where outside rings have no access to or a very limited 
> access to a set of services on the inside.
> 
> 
> Regards,                       Phone:  (250)387-8437
> Cy Schubert                      Fax:  (250)387-5766
> Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD, ISTA
> Province of BC
> 
> 
> 
> 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message