OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FreeBSD Security Archives: Re: Best way to do FTP with NAT and

Re: Best way to do FTP with NAT and firewall?

Guy Helmer (ghelmerscl.ameslab.gov)
Fri, 17 Sep 1999 10:44:03 -0500

On Fri, 17 Sep 1999, Brett Glass wrote:

> I've just set up a firewall for a client using ipfw and natd. Trouble
> is, his software seems to be particularly insistent on doing active,
> rather than passive, FTP. This poses a problem, of course, because a
> remote system can't open just data sockets to one behind the firewall
> due to NAT.
>
> I've worked with plenty of commercial firewalls that monitor FTP
> control connections and spoof the port number for the data sockets.
> SLiRP does it; so, apparently, does the pppd that comes with FreeBSD.
> But I can't find any documented way to do it with ipfw and natd.
>
> Are there undocumented commands to accomplish this?

For FTP clients behind the firewall, natd seems automatically to
understand & massage the FTP protocol, since PORT commands work through
it. In my NAT firewall system's /etc/rc.firewall, I have this line:

    $fwcmd add pass log tcp from any 20 to ${inet}:${imask} 1024-65535 setup

Since this line has the "log" option, I know it is working. Since this
rule is invoked after the TCP SYN packet has been forwarded by natd, it
seems safe...

Guy

Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science
Research Assistant, Ames Laboratory --- ghelmerscl.ameslab.gov
Research Assistant, Dept. of Computer Science --- ghelmercs.iastate.edu
Teaching Assistant, ComS 652 Distributed Operating Systems
http://www.cs.iastate.edu/~ghelmer

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

This archive was generated by hypermail 2.0b3 on Fri Sep 17 1999 - 10:42:49 CDT