Linked by Thom Holwerda on Wed 20th Sep 2006 21:03 UTC, submitted by Jason Dixon
OpenBSD Pre-orders for OpenBSD 4.0 are now available in the online store. Five architectures on three CDs in a soft-shell DVD case. Check out the highlights of OpenBSD 4.0. This new release adds support for many wireless chipsets, as well as support for the UltraSPARC III, and much, much more.
Thread beginning with comment 164214
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Try it
by Soulbender on Thu 21st Sep 2006 12:01 UTC in reply to "Try it"
Soulbender
Member since:
2005-08-18

"However, iptables is able to handle this by reading the PORT command (this is in the FTP protocol) and determining which port is going to be used for the data port. "

On a workstation I don't see why this matters in any way.
On a firewall you'd use ftp-proxy for this. Well, you could probably use ftp-proxy on a workstation too but why bother?

Reply Parent Score: 2

RE[2]: Try it
by tomfitzyuk on Thu 21st Sep 2006 12:20 in reply to "RE: Try it"
tomfitzyuk Member since:
2006-01-25

--- On a workstation I don't see why this matters in any way. ---
Despite how it's just a workstation, doesn't mean I'm going to want it much less secure than that of a server. I would prefer to have one outgoing port open for FTP rather than 20,000.

--- On a firewall you'd use ftp-proxy for this. Well, you could probably use ftp-proxy on a workstation too but why bother? ---
I know ftp-proxy would be used for a firewall, to allow machines behind the firewall to use FTP properly; however, ftp-proxy doesn't allow the actual machine with PF (be that a firewall machine, or a workstation with PF) to access FTP properly.

I tried redirecting packets from 127.0.0.1 port 21 to 127.0.0.1 port 8021 (the port on which ftp-proxy listens) but this never worked.

I know it's not much of a problem, I'd just prefer to only have the neccessary ports open.

As to why I'm running PF on a workstation, I'm going to uni in a week and they only allow one computer connected to their network, meaning no firewall machine... and since I need a firewall, it must be on the workstation.

Reply Parent Score: 1

RE[3]: Try it
by koen on Thu 21st Sep 2006 12:48 in reply to "RE[2]: Try it"
koen Member since:
2005-11-15

if your university only allows 1 machine connected, just set up a local lan and mask it properly from your univ's network? i can't imagine your univ's admin checking each dorm room and counting all the appliances that can be networked.

if you insist on having a single workstation doing everything, and insist on having a 'secure' way of doing ftp, you're indeed bound to use the ftp-proxy locally (i never tried this, but i'm very sure it's perfectly possible to do)

Reply Parent Score: 1