Date: Mon, 18 Dec 2000 15:31:34 +0100 (MET) From: Peter Ross <petros@pps.de> To: freebsd-security@freebsd.org Subject: FTP and firewall Message-ID: <200012181431.PAA16565@jung9.pps.de>
next in thread | raw e-mail | index | archive | help
Hi, I tried to redirect FTP to an internal FTP server using natd. I wrote: > natd_flags="-redirect_port tcp ${intern_ftp_ip}:ftp ftp" > > # Allow incoming FTP connections to the internal FTP server > ipfw add allow tcp from any to ${extern_ip} ftp setup via ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} ftp setup via ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} ftp setup via ${intern_if} > > # and outgoing FTP data connections created by the internal FTP server > ipfw add allow tcp from ${intern_ftp_ip} 20 to any setup via ${intern_if} > ipfw add allow tcp from ${intern_ftp_ip} 20 to any setup via ${extern_if} > ipfw add allow tcp from ${extern_ip} 20 to any setup via ${extern_if} > > # Allow TCP through if setup succeeded > ipfw add pass tcp from any to any established > > # Everything else is denied as default. There is a problem with FTP clients using passive mode. The server listens on ports 49152..65535. I think the natd redirect option and the firewall rule > ftp_passive_range="49152-65535" > > natd_flags="-redirect_port tcp ${intern_ftp_ip}:${ftp_passive_range} > ${ftp_passive_range}" > > ipfw add allow tcp from any to ${extern_ip} ${ftp_passive_range} setup via > ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via > ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via > ${intern_if} should work but .. What do you think? The FTP control connection contains the data port negotiation between client and server. Can I use this information? I see five different ways to solve the FTP firewall problem: 1. external FTP server and mirror through the firewall Problem: We need the server always up to date, data more then 5 minutes old are not acceptable, also inacceptable are corrupted files (e.g. for files which created by internal processes while the mirror process works) Can I use cpdup (ports collection)? 2. external FTP proxy server with access to a internal server Problem: which proxy should I use? 3. external FTP server with NFS access trough the firewall Problem: NFS and security 4. firewall with FTP server and NFS access to the company network Problem: see above, a firewall shouldn't running daemons with public access 5. 3. or 4. with a more secure network file system (e.g. Coda ?) Thanks for advice Peter Ross ******************************************************* Dipl.Inf. Peter Ross petros@pps.de Presse Programm Service Berlin - Systems administration ******************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012181431.PAA16565>