[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf proxy support
> one feature of ipf I use is proxy support, particularly the FTP proxy
> although there are other proxies. I am trying to see how I would achieve
> the same functionality utilizing pf.
Using userland proxies like our ftp proxy which we provide. Others
can easily be written.
ipf in-kernel proxies are fundamentally broken, since they are not
aware of overlapping packet attacks. Keepe your eye tuned to
> if I understand correctly, proxy support with pf is implemented via
> redirecting connections to a proxy server running in user space. according
> to the documentation for ftp-proxy, you need to add in broad rule such as:
> pass in on xl1 proto tcp from any to xl1 port > 49151 keep state
> in order to get it to work, allowing possible connection attempts that are
> not actually associated with a given FTP session. This method also seems
> incompatible with a bridging firewall, as the user space proxy needs an IP
> address on the interface.
a bridged ftp proxy would be just as vulnerable. Since packets are
reassembled at the wrong place, it is fundamentally vulnerable to
fragrouter style attacks..
Not everything which is possible using features of our network stack
is secure; not everything is desirable; and not everything that is
possible is smart to do.
We just supply rope.