[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy and other stories...



On Wed, Oct 30, 2002 at 10:26:24PM +0000, Roy Badami wrote:
> Maybe it's worth it for the added security that a userland proxy gives
no no no no. you totally misunderstand. there is no added security in this
case.
(filtering on the INNER interface, need to reverse in/out if you're
filtering on the external one)
#ftp.bsws.de - ftp sucks
pass out quick on $main_if proto tcp from any to 213.128.133.139 port 21 \
        keep state label "213.128.133.139:21"
pass in  quick on $main_if proto tcp from 213.128.133.139 port 20 to any \
        keep state label "213.128.133.139:21"
pass out quick on $main_if proto tcp from any to 213.128.133.139 \
        port 50000 >< 55000  keep state label "213.128.133.139:21"
and tell your ftpd to use ports 50000..55000 for passive connections. For
pureftpd, this is "-p 50000:55000" on the command line.
then change net.inet.ip.port[|hi][first|last] to not cover the 50000..55000
and you are absolutely fine.