On Mon, Aug 20, 2007 at 04:33:28PM -0400, stuart van Zee wrote:
> Hello all,
>
> I currently have an FTP server on the internet for use transferring
> files back and forth with customers and have now been given the
> requirement to put a firewall between it and the internet but still
> allow users to use the ftp service. So, I was looking at the
> possibility of dropping an OpenBSD box in that is setup to serve as
> a filtering bridge but I have been unable to find information about
> how to setup a transparent bridge in front of an FTP server. Do I
> need to run an FTP proxy on the bridge? or does the fact that the
> bridge is transparent take care of that issue?
>
> A point in the right direction would be appreciated. I tried
> looking up on google, but I found a bazillion hits on how to setup a
> firewall on a network and still being able to reach an ftp server on
> the internet from the network, but nothing on how to do it the other
> way around where the FTP server is behind the firewall. My guess is
> the information I need is there but I was unable to see it through
> all the interference. I have also looked at the bridge section of
> the FAQ, and I am planning on going back in and looking further to
> see if I just missed something. Unfortunately, I was unable to
> search the list archive because we are restricted here where I work
> as to where we can and can't go on the internet.
I don't know the exact answer, but if you want to do stateful filtering
on your bridge, you do need some way to capture FTP state (i.e. it won't
'just work'). I recall people talking about using ftpsesame
(capitalization is most likely wrong, but spelling should be correct),
which should add the relevant rules on the fly.
Joachim
--
TFMotD: newsyslog (8) - trim log files to manageable sizes
