From owner-freebsd-questions Thu Oct 25 5:48:59 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id E1C8737B401 for ; Thu, 25 Oct 2001 05:48:32 -0700 (PDT) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id OAA92998 for ; Thu, 25 Oct 2001 14:48:24 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "FreeBSD Question List" Subject: ipfw rules for FTP - passive vs. active Date: Thu, 25 Oct 2001 14:51:58 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG FTP - the firewalling bane of my life! :) Please bear with me - if you are clued on ipfw and FTP - I need some advice. In the past I have always set my firewalls to permit public access to my FTP servers as follows: ipfw add 1 allow tcp from any to any established ipfw add 2 allow tcp from any to ${ftp_ip} 21 setup ipfw add 3 allow tcp from ${ftp_ip} 20 to any setup This works fine for clients on the 'net who make "active" (NOT passive) FTP connections to my FTP server. Recently I am finding that many FTP clients are behind firewalls themselves, and these do not allow the incoming ftp-data connection from my FTP server to their clients. So, I can support passive connections like so: ipfw add 1 allow tcp from any to any established ipfw add 2 allow tcp from any to ${ftp_ip} setup Now, this seems to me like it is far too lax as far as firewalling goes. I need to allow external clients to connect to ANY port on the FTP server so that they can establish the passive ftp-data connection on the randomly selected port number. Yech! :( So, my question at last: Is there a way for me to build ipfw rules to support both passive and active FTP data modes, but without leaving such a huge gaping hole through the firewall? I must point out that I have never got around to understanding the capabilities of ipfw's stateful rules. If therein lies the solution then just a gentle prod with the clue stick would be much appreciated. Thanks in advance, Patrick O'Reilly. ----------------- Disk Space - the final frontier... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message