Kevin said the following on 10/24/05 12:55:
On 10/24/05, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
On Mon, Oct 24, 2005 at 06:14:49PM +0930, Aluminium Oxide wrote:
While is the satisfactory and workable solution using a rdr and passing
the role to an ftp-proxy, I would like to add to pf the capability to
actually monitor the erection of an ftp connection and creating an
anticipatory state to permit :
. . .
If your module simply scans individual packets' payload to
search for a magic string, it will be fooled like this.
I agree with Dan.
One alternative to bypassing ftp-proxy might be to enhance the interaction
between ftp-proxy and pf, so instead of proxying the data connection,
ftp-proxy can optionally build the appropriate temporary NAT and pass rules
to allow the data connection via pf, eliminating a performance
bottleneck while keeping *most* of the security of ftp-proxy.
Two drawbacks to the above approach are the loss of visibility into
and transfer accounting for the data connection, and greater exposure
to attacks such as this one:
http://www.enyo.de/fw/security/java-firewall/
Kevin Kadow
/usr/src/usr.sbin/ftp-proxy
uses anchors in pf.conf to add rules for the ftp traffic.
hasn't been linked in yet.
From the link:
"In firewalls, do not use heuristic approaches to stateful filtering.
Complex protocols should be handled by application layer gateways that
actually understand the protocols they are letting through."