Firewalls: Problem using TIS ftp-gw

Firewalls
(October 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Problem using TIS ftp-gw - help!
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Mon, 17 Oct 1994 23:29:51 +1000 (EST)
To:	firewalls @ greatcircle . com

Does anyone here use the ftp-gw s/w in the TIS firewall toolkit ?

I'm interested in knowing how to get it to deny being used as a
proxy agent for reaching internal hosts (for which it only knows
an IP#) whilst allowing internal hosts to use it as a proxy and
everyone to use it as an anonymous ftp server itself.

(Is this too much to expect from it ??)

It seems to behave fine as a proxy server going out, but it doesn't
seem to like things like this:
ftp-gw:	hosts	-dest !10.*
in the netperm file.  (Using !*.foo.bar is fine).

Does anyone have a sample set of netperm entries they could share
showing how to achieve it properly ?  I'm very worried that if
someone does "ftp @
 10 .
 0 .
 0 .
 51" the ftp-gw s/w will allow that through...
even if you only have "-dest !*.foo.bar" in your netperm file!
(Although "ftp @
 fubar .
 foo .
 bar" is blocked).

I'm using version 1.1...what have I done wrong ?  This just doesn't
make sense to me :/

cheers,
Darren

Indexed By Date	Previous:	Virus Scanning (was SideWinder) From: Marcus J Ranum <mjr @ tis . com>
Indexed By Date	Next:	Re: Sidewinder and Virus Scans From: "Frank Byrum" <byrum @ vbv03 . vbv . dec . com>
Indexed By Thread	Previous:	Virus detection at level 2-3 From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Next:	Sidewinder: References on Type Enforcement From: Earl Boebert <boebert @ sctc . com>