[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Here are the rules that I am using to get active ftp working.
OS: Solaris 2.6, on a Sparc 5
Interface: le0 connected to Internet (DSL connection)
le1 connected to internal network (192.168.11.0/24)
# Allow ftp-data connection from any network
pass in log quick on le0 from any port = 20 to 192.168.11.0/24
pass out log quick on le0 proto tcp from hurricane/32 to any port
= 21 flags S/SA keep state
pass out log quick on le0 proto tcp from 192.168.11.0/24 to any
port = 21 flags S/SA keep state
map le0 192.168.11.0/24 -> 0/32 proxy port ftp ftp/tcp
map le0 192.168.11.0/24 -> 0/32 portmap tcp/udp 10000:30000
map le0 192.168.11.0/24 -> 0/32
Hope this helps. I posted all the rules that I am using to
ipfilter's mailing list earlier today. I can forward them to
individual users if you would like to take a look at it. If I
get a lot of request, I will post the rules to firstname.lastname@example.org.
I think the key to active ftp is the inbound rule that allows
connection to 192.168.11.0/24 network for ftp-data connection.
If I remove that rule active ftp stops working for me.
Use the rules at your own risk. I am not sure if what I am doing
is secure, I think it is secure, but not 100% sure. If folks on
the list think that the rules are insecure please let me know and
why you think the rules are insecure. I am still learning how to
use ipfilter properly.
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org]On Behalf Of
> Leif Pedersen
> Sent: Tuesday, September 21, 1999 7:43 PM
> To: email@example.com
> Subject: RE: NAT
> So how would we do active FTP through an OpenBSD
> firewall? I have several
> computers with fake IP addresses behind a firewall
> that currently runs
> [slackware] linux. I want to switch it over to
> OpenBSD, and this is the
> only thing that's holding me back.
- RE: NAT
- From: Leif Pedersen <firstname.lastname@example.org>