[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question about ftp and ipfilter !



On 20 Aug 2001 20:02:39 +0200, Mikael wrote:
> Hello
>  
> I'm building a firewall with OpenBSD 2.9 and Ipfilter, everything is
> going about good but i don't know how to manage with the ftp connection.
> I'd like to let people connect to remote ftp servers.
> -Connection on port 21 is ok
> -Connection on port 20 doesn't work but i guess it's because the ftp
> software client uses only the passive mode
>  
> Problem:
> I should let open all the ports between 1024 and 65535 to let passive
> ftp connection which is not a good idea to secure its network.
>  
> I'd like to write a rule that say the system should open ports 20 and
> from 1024 to 65535 only if a connection on port 21 has already exist. Do
> you think it's possible ?
>  
> Does anyone who has already designed firewalls could give me a few
> advices about the way to proceed with this problem
ipnat includes an ftp proxy so you don't need all that stuff (man! this
is not *ipchains* :)). Just add sth like this to your /etc/ipnat.rules:
map external_if internal_lan_address/internal_lan_mask -> external_if/32
proxy port ftp ftp/tcp

More info is available here (look at running an FTP client or sth like
this):
http://www.obfuscation.org/ipf/ipf-howto.html#TOC_43

HTH
-- 
//saad



Visit your host, monkey.org