Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Jun 2000 06:29:21 -0400 (EDT)
From:      Greg Hormann <ghormann@alumni.indiana.edu>
To:        Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc:        security@FreeBSD.ORG
Subject:   Re: Setting up simple firewall with ipfw 
Message-ID:  <Pine.BSF.4.05.10006120627410.1712-100000@hormann.tzo.cc>
In-Reply-To: <200006111721.e5BHLiX06847@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Thanks.  The FTP port was just to see if I could get it to work.  Once I
got it working, I shut it down.

Greg.

> 
> I'm not sure what you're trying to accomplish here -- the 22/udp is 
> confusing, unless you want to allow PC Anywhere through.
> 
> The FTP protocol is an abortion.  You have a choice of passive or PORT 
> FTP.  Depending on the direction you will require opening up your 
> firewall to the world or the worlds firewalls need to be opened up to 
> FTP to you.  In my IPFW and ipchains firewalls I specify that my users 
> behind those firewall must use passive FTP as clients to get out.  As 
> FTP servers are a security risk I usually put them on a DMZ or exterior 
> network.
> 
> A packet filter with an FTP application proxy might let you have the 
> best of both worlds.  It just happens that IP Filter comes with FreeBSD 
> as well.  Even then, running an world accessible FTP server behind your 
> firewall, IMO, is a still big risk, unless you're offering services to 
> customers behind your firewall who themselves are also behind another 
> firewall, onion ring approach of firewalls within firewalls within 
> firewalls where outside rings have no access to or a very limited 
> access to a set of services on the inside.
> 
> 
> Regards,                       Phone:  (250)387-8437
> Cy Schubert                      Fax:  (250)387-5766
> Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD, ISTA
> Province of BC
> 
> 
> 
> 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10006120627410.1712-100000>