From owner-freebsd-ipfw Wed Jun 21 13:50:13 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f264.law7.hotmail.com [216.33.236.142]) by hub.freebsd.org (Postfix) with SMTP id 3A1FB37B97E for ; Wed, 21 Jun 2000 13:50:10 -0700 (PDT) (envelope-from pixie_styxx@hotmail.com) Received: (qmail 74342 invoked by uid 0); 21 Jun 2000 20:50:09 -0000 Message-ID: <20000621205009.74341.qmail@hotmail.com> Received: from 64.90.3.2 by www.hotmail.com with HTTP; Wed, 21 Jun 2000 13:50:09 PDT X-Originating-IP: [64.90.3.2] From: "Jennifer Ulrich" To: freebsd-ipfw@FreeBSD.ORG Subject: allowing passive ftp through ipfw Date: Wed, 21 Jun 2000 16:50:09 EDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello all! I have a FreeBSD 3.4 box which runs ipfw, that is firewalling for a publicly reachable lan of servers, including FTP servers. When I set up the machine, I made the FTP servers reachable by adding a rule for: ipfw add 1400 pass all from x.x.x.x/x to any ipfw add 2300 pass tcp from any to x.x.x.x 21 (x.x.x.x 21 being the address of the ftp server and a default rule allowing anything from my internal lan out through the firewall) I initially had some problems with clients on the lan not being able to establish FTP connections outbound, so I added this rule : ipfw 2300 pass tcp from any to x.x.x.x/x established With these two rules in place, FTP was a happy camper. Users could connect from outside of the network to specific FTP servers, and users inside the network could connect to any FTP server on the internet. Everything ran smoothly until someone from the internet tried to connect to the internal FTP server with Netscape. Apparently, when Netscape opens a FTP connection, it does so by sending a PASV (instead of PORT) command. Basically as I understand it, in passive mode, the server passively sets the port and passes that information to the client. It is then up to the client to actively open the ftp connection on that specified port. So instead of the ftp connection coming in with a destination of 21, it comes in on some predetermined but random high port. (which is why my ruleset denies the connection.) So how do I get passive FTP to work? I certainly would rather not punch a hole in the firewall to allow all traffic destined to the higher ports through to my FTP server. Is there another way to do accomplish this that is a bit more secure? Anyone's thoughts and suggestions regarding this matter, are most appreciated! ~jenn ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message