some doubt - protecting ftp server behind NAT and pf
This is a discussion on some doubt - protecting ftp server behind NAT and pf within the comp.unix.bsd.openbsd.misc forums, part of the OpenBSD category; --> I have some doubt about protecting ftp server behind NAT and pf. I know about new ftp-proxy in OpenBSD ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 08:29 AM
| ||||
| ||||
 some doubt - protecting ftp server behind NAT and pf I have some doubt about protecting ftp server behind NAT and pf. I know about new ftp-proxy in OpenBSD 3.9 (I am using it already :-) but here is question about protecting ftp server only with NAT and pf, there is no reverse ftp-proxy neither "old" nor "new" style. In pf-faq37 we find example: ftp_server = "10.0.3.21" rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server port 21 ....etc... Of course, there must be also: nat on $ext_if proto tcp from $internal_net to any -> $ext_if Here is my question, is it better to put more restrictive rdr statement, like: rdr on $ext_if proto tcp from any to $ext_if_addr port 21 -> $ftp_server port 21 ^^^^^^^^^^^^ Now, external ftp client can see only external IP address on my firewall ($ext_if_addr). My second question is: Is it OK to put word "pass" in rdr/nat and after that block all, like: nat pass on $ext_if proto tcp from $internal_net to any -> $ext_if rdr pass on $ext_if proto tcp from any to $ext_if_addr port 21 -> $ftp_server port 21 block all igor.kos1@remooove.zg.t-com.hr      |
|
02-16-2008, 08:30 AM
| ||||
| ||||
| Re: some doubt - protecting ftp server behind NAT and pf igy <igor.kos1@removee.zg.t-com.hr> wrote: > I have some doubt about protecting ftp server behind NAT and pf. > > > > I know about new ftp-proxy in OpenBSD 3.9 (I am using it already :-) > > but here is question about protecting ftp server only with NAT and pf, > > there is no reverse ftp-proxy neither "old" nor "new" style. > > > > In pf-faq37 we find example: > > > > ftp_server = "10.0.3.21" > > rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server port 21 > > ...etc... > > > > Of course, there must be also: > > nat on $ext_if proto tcp from $internal_net to any -> $ext_if > > > > > > Here is my question, is it better to put more restrictive rdr statement, > like: > > > > rdr on $ext_if proto tcp from any to $ext_if_addr port 21 -> $ftp_server > port 21 > > ^^^^^^^^^^^^ > > > > Now, external ftp client can see only external IP address on my firewall > ($ext_if_addr). Yes. > My second question is: Is it OK to put word "pass" in rdr/nat and after that > block all, like: > > > > nat pass on $ext_if proto tcp from $internal_net to any -> $ext_if > > rdr pass on $ext_if proto tcp from any to $ext_if_addr port 21 -> > $ftp_server port 21 > > block all I believe so, yes. Joachim |
Linear Mode
