SunScreen 3.1 Configuration Examples

Setting Up anonymous FTP Using the FTP Proxy

Another requirement is to ALLOW anonymous FTP to the server lon-host3 using the FTP Proxy. Because this is anonymous FTP, it is not necessary to create an Authenticated User. Use the predefined Proxy Users for ftp and anonymous for this purpose.

The advantage of using the FTP Proxy to ALLOW anonymous FTP access over a regular packet filter rule in this configuration is that the outside world does not need to know which system is the FTP server. Because the FTP connection is made from the firewall, only the firewall needs to know how to resolve the name ftp-server to an IP address. The firewall can use a simple alias in its hosts file and can be changed to another server without the need to tell your users. In this example, the FTP server lon-host3 has an illegal IP address, which is enabled because the firewall can contact it.


Note -

Using NAT with a conventional packet filtering rule requires you to add a DNS entry for this host.


  1. Define a Proxy User Group that contains the users who can use FTP, as shown in the following figure.

    Figure 9-6 Proxy User Group Definition

    Graphic

  2. Define a rule to ALLOW FTP access, as shown in the following figure.

    Figure 9-7 ALLOW FTP Access Rule Definition

    Graphic

  3. Save and activate the policy.