On Wed, Oct 30, 2002 at 10:26:24PM +0000, Roy Badami wrote:

> Is that what everyone else does?

Yes. If you can't ensure that the ftp server never has a vulnerable
service listen on a port inside the range used for ftp passive data
connections, you could use ftp-proxy with the reverse proxy diff (see
archive), and open the port range only on the firewall, which then
forwards the data connections to the ftp server. And ensuring no
vulnerable service starts listening on a port in that range on the
firewall should be possible...

> Incidentally, the other big thing I get with iptables (that pf lacks,
> as far as I can tell) is the ability for a rule to match on both the
> interface that a packet was received on and the interface that it will
> be forwarded out on.  Whilst not a showstopper, it makes the rules a
> lot simpler and maintainable in the case of a large network (otherwise
> you essentially have to duplicate your routing table in your filtering
> rules in order to gain the same effect).

I don't understand how the ability to specify both interfaces in a
single rule in iptables helps you there. If a connection always comes in
through interface A but can leave through B or C, depending on the
(dynamic) routing table, how do you write the rule set so it covers both
cases and doesn't duplicate the routing table?

How is that different from filtering on all three interfaces and
allowing connection in on A and out of B and C statefully?

Daniel

Reply via email to