From owner-freebsd-security Mon Nov 26 7:32: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law2-f68.hotmail.com [216.32.181.68]) by hub.freebsd.org (Postfix) with ESMTP id 668DF37B416 for ; Mon, 26 Nov 2001 07:32:05 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 26 Nov 2001 07:32:05 -0800 Received: from 213.84.199.53 by lw2fd.hotmail.msn.com with HTTP; Mon, 26 Nov 2001 15:32:05 GMT X-Originating-IP: [213.84.199.53] From: "Danny Carroll" To: security@freebsd.org Subject: IPFW, natd and an internal FTP server. Date: Mon, 26 Nov 2001 15:32:05 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 26 Nov 2001 15:32:05.0106 (UTC) FILETIME=[807B7520:01C1768F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I know this question has been covered before in many different ways, but I can't seem to find the solution I am looking for. Here is my situation. machine guard is the firewall / natd server on a dedicated internet line. machine app is the web/ftp server let's say it runs win2k. This machine is on an internal (192.168) network and the firewall's natd diverts web/ftp stuff almost brilliantly. The firewall works fine for active FTP (server initiated data connections). If I configure my FTP server to use passive ports in a limited range and allow those ports specifically then all is well. But I want to be a little more secure. So I tried using punch_fw to add the rules dynamically. I figured if it works for active clients, it must work for passive servers? Am I wrong in this assumption or have I screwed something up? Also, will I see the rules inserted into the ipfw list or are they hidden for some reason? Thanks in advance. -D _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message