View Single Post
  #4   (View Single Post)  
Old 6th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

ftp-proxy is written for a firewall box with two interfaces. It will not work with one interface.

To protect your box with one interface you could use a table containing the ftp servers you want to talk to. Then write some rules to allow out-going passive ftp to these servers.

You need two rules, one for the ftp command channel, and an other one for the ftp data channel.
  1. client source port >1023 -> server: port 21 (ftp command channel)
  2. client source port >1023 --> server port >1023 (ftp data channel)

I have done this one my workstation. Unfortunately I just moved house and I haven't unpacked that one yet, else I would posted the rules
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote