[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy and other stories...

On Wed, Oct 30, 2002 at 10:26:24PM +0000, Roy Badami wrote:
> Maybe it's worth it for the added security that a userland proxy gives
no no no no. you totally misunderstand. there is no added security in this
(filtering on the INNER interface, need to reverse in/out if you're
filtering on the external one)
#ftp.bsws.de - ftp sucks
pass out quick on $main_if proto tcp from any to port 21 \
        keep state label ""
pass in  quick on $main_if proto tcp from port 20 to any \
        keep state label ""
pass out quick on $main_if proto tcp from any to \
        port 50000 >< 55000  keep state label ""
and tell your ftpd to use ports 50000..55000 for passive connections. For
pureftpd, this is "-p 50000:55000" on the command line.
then change net.inet.ip.port[|hi][first|last] to not cover the 50000..55000
and you are absolutely fine.