From owner-freebsd-security  Thu Jan 14 06:38:23 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA12400
          for freebsd-security-outgoing; Thu, 14 Jan 1999 06:38:23 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA12391
          for <security@FreeBSD.ORG>; Thu, 14 Jan 1999 06:38:19 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id PAA14616;
	Thu, 14 Jan 1999 15:37:09 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id PAA88824;
	Thu, 14 Jan 1999 15:37:09 +0100 (MET)
Date: Thu, 14 Jan 1999 15:37:09 +0100
From: Eivind Eklund <eivind@FreeBSD.ORG>
To: Andrew McNaughton <andrew@squiz.co.nz>
Cc: "Jan B. Koum " <jkb@best.com>, security@FreeBSD.ORG
Subject: Re: examples rules ipfw
Message-ID: <19990114153709.A88792@bitbox.follo.net>
References: <19990112042358.C303@best.com> <Pine.BSF.4.05.9901142255490.329-100000@aniwa.sky>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <Pine.BSF.4.05.9901142255490.329-100000@aniwa.sky>; from Andrew McNaughton on Thu, Jan 14, 1999 at 11:00:41PM +1300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Jan 14, 1999 at 11:00:41PM +1300, Andrew McNaughton wrote:
> > 	You would be much better off using passive ftp (ftp -p) then opening
> > 	up all those holes into your network. 
> 
> I connect to specific hosts which disallow passive ftp, so I don't use
> this approach.  I'd be curious to know how common this is?

If you need another secure approach, look at libalias.

It contains my code for automatically creating tiny 'holes' in the
firewall just allowing one specific connection through.

Unfortunately, there are not any clients in FreeBSD that use that as
of today, but you should be able to build it into natd and ppp fairly
easily (it is only two function calls to enable it; one to set the
rule number range in the firewall rules to use for creating 'holes',
and one to enable the flag).

I guess the code could be adapted to be usable in environments without
NAT, but I haven't really looked into it.  I don't really approve of
using pure packet filters for a firewall.

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message