On Wed, Oct 30, 2002 at 10:26:24PM +0000, Roy Badami wrote: > Is that what everyone else does?
Yes. If you can't ensure that the ftp server never has a vulnerable service listen on a port inside the range used for ftp passive data connections, you could use ftp-proxy with the reverse proxy diff (see archive), and open the port range only on the firewall, which then forwards the data connections to the ftp server. And ensuring no vulnerable service starts listening on a port in that range on the firewall should be possible... > Incidentally, the other big thing I get with iptables (that pf lacks, > as far as I can tell) is the ability for a rule to match on both the > interface that a packet was received on and the interface that it will > be forwarded out on. Whilst not a showstopper, it makes the rules a > lot simpler and maintainable in the case of a large network (otherwise > you essentially have to duplicate your routing table in your filtering > rules in order to gain the same effect). I don't understand how the ability to specify both interfaces in a single rule in iptables helps you there. If a connection always comes in through interface A but can leave through B or C, depending on the (dynamic) routing table, how do you write the rule set so it covers both cases and doesn't duplicate the routing table? How is that different from filtering on all three interfaces and allowing connection in on A and out of B and C statefully? Daniel
