On 10/24/05, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> On Mon, Oct 24, 2005 at 06:14:49PM +0930, Aluminium Oxide wrote:
>>While is the satisfactory and workable solution using a rdr and passing
>>the role to an ftp-proxy, I would like to add to pf the capability to
>>actually monitor the erection of an ftp connection and creating an
>>anticipatory state to permit :
. . .
> If your module simply scans individual packets' payload to
> search for a magic string, it will be fooled like this.
I agree with Dan.
One alternative to bypassing ftp-proxy might be to enhance the interaction
between ftp-proxy and pf, so instead of proxying the data connection,
ftp-proxy can optionally build the appropriate temporary NAT and pass rules
to allow the data connection via pf, eliminating a performance
bottleneck while keeping *most* of the security of ftp-proxy.
Two drawbacks to the above approach are the loss of visibility into
and transfer accounting for the data connection, and greater exposure
to attacks such as this one:
http://www.enyo.de/fw/security/java-firewall/
Kevin Kadow
