From owner-freebsd-ipfw Fri Nov 16 17: 3:53 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from postoffice.aims.com.au (eth0.lnk.aims.com.au [203.31.73.253]) by hub.freebsd.org (Postfix) with ESMTP id 308D137B41C for ; Fri, 16 Nov 2001 17:03:38 -0800 (PST) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id fAH13aG82455 for ; Sat, 17 Nov 2001 12:03:36 +1100 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Sat, 17 Nov 2001 12:03:01 +1100 Reply-To: From: "Chris Knight" To: , "'Konstantin'" Cc: Subject: RE: Stateful Rules and FTP Date: Sat, 17 Nov 2001 12:02:59 +1100 Message-ID: <00fa01c16f03$9a8bc200$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20011116144702.E50971@blossom.cjclark.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-ipfw@FreeBSD.ORG Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Howdy, > -----Original Message----- > From: Crist J. Clark [mailto:cristjc@earthlink.net] > Sent: Saturday, 17 November 2001 9:47 > To: Konstantin > Cc: Chris Knight; freebsd-ipfw@FreeBSD.ORG > Subject: Re: Stateful Rules and FTP > > On Fri, Nov 16, 2001 at 08:24:07PM +0300, Konstantin wrote: > > [snip] > > Change this string for FTP > > add pass tcp from to 21 > > keep-state in recv ed1 setup > > add pass tcp from 20 to > > keep-state in recv ed1 setup > This is essentially what I did, but ensuring that the inbound ftp control connection came in over the DMZ i/f and out the internal i/f. The ftp data connection was checked coming in from the internal i/f and out the DMZ i/f. ie: add pass tcp from to 21 keep-state out recv ed1 xmit ed2 setup add pass tcp from 20 to keep-state out recv ed2 xmit ed1 setup > I think you forgot to add that you need to switch to "active" FTP for > these rules to work. But realize these rules open you up to other > security issues. An FTP proxy would really be the way to go. I realised that it was active FTP. I can see with the above rules that a bounce attack could occur against any of the DMZ machines, but I can't think of other security issues, unless I stuff up the config of the internal FTP server. I'll look at the FTP install via HTTP proxy method; this should tidy things up a bit. Thanks for everyone's help. > -- > [snip] Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message