Date: Thu, 12 Apr 2001 21:16:23 +0200 (CEST) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: Kirk Strauser <kirk@strauser.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Beating a dead horse - ipfw and FTP Message-ID: <200104121916.VAA74511@info.iet.unipi.it> In-Reply-To: <87puei53ud.fsf@pooh.honeypot> from Kirk Strauser at "Apr 12, 2001 02:13:14 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
we have stateful ipfw and passive ftp -- the combination of the two should give you the protection that you want. Am i wrong ? cheers luigi > I've read a lot of the mailing list archives regarding ipfw and FTP. The > basic consensus seems to be that FTP Is Bad and that it shouldn't be used. > OK, on a technical level, I agree. Unfortunately, it's still somewhat hard > to get away from. In particular, look at the FreeBSD ports system which > relies heavily on using FTP to fetch source tarballs - that alone is reason > enough for me to maintain usability for this antiquated protocol. Add in > the fact that I have several user workstations that periodically fetch files > (darn those Debian users :) ) and I'm pretty well stuck. > > So, has anyone agreed on a best-practices method of allowing outgoing FTP > connections through ipfw? It seems like the ideal would be for someone to > add an FTP method to ipfw's keep-state mechanism, but that doesn't seem to > exist right now. The next best solution, to me, would be an ipfw-aware FTP > proxy that can dynamically open and close ports. Does such a thing exist? > If so, and there are more than one, are any of them recommended? > > I'm thinking that a final last-ditch-effort solution would be to write a > two-part FTP proxy server so half of the server lives outside the firewall > and the other half is inside, and the two halves communicate via a secure > link. This might actually be a Good Thing, but darned if I'd even know > where to begin such a project. > -- > Kirk Strauser > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104121916.VAA74511>