2/26 Is it possible to use ipfw in *BSD to let users do FTP gets but not
FTP puts? I'm being asked to let people get stuff from the internet
but not let them send anything out. If ipfw can't do it, how about a
commercial firewall like Cisco PIX or Checkpoint? Thanks.
\_ Checkpoint can't. I don't know about PIX, it might have
tcp payload inspection.
The easiest solution for you is to install a proxy or
to hack the ftp server so that PUT is not supported.
\_ I don't think so--the server initiates the data connection back
to you, unless you're using passive ftp, in which case both the
"administrative" and data connections run via port 20. As
far as the firewall is concerned, if you're permitting tcp
outgoing, packet is packet. All commercial firewalls I know
of are the same--they cannot distinguish what direction the
actual files are going in. Snoop/tcpdump a plain ftp connection
to see what goes back and forth. What you can do, however, is
run an ftp proxy which only permits FTP GET. -John
\_ You need a pretty complex firewall to be able to block FTP puts
but not gets. It has to inspect the protocol and reset the put
commands. I dont remember seeing options for that in PIX, but you
can check the online cisco docs. -ERic
\- use Bro. it groks ftp. you can even RST the connection in
either dir if you say see a get of *passwd*. ok tnx. --psb
\_ what's Bro? urlp.
\_ isn't it otherwise known as the "man-siere"?
\_ a bra for men? (aka a man-siere)
\_ Uh, men don't have breasts. How would this work.
\_ ftp://ftp.ee.lbl.gov/papers/bro-usenix98-revised.ps.Z.
\-more recent version from Computer Networks. See Vern's
home page for link. --psb
\_ Vern? |
http://csua.com/feed/