From owner-freebsd-pf@FreeBSD.ORG Fri May 18 19:34:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B809416A403 for ; Fri, 18 May 2007 19:34:23 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-01.ohiordc.rr.com (ms-smtp-01.ohiordc.rr.com [65.24.5.135]) by mx1.freebsd.org (Postfix) with ESMTP id 81FFB13C45E for ; Fri, 18 May 2007 19:34:23 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-01.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l4IJYLGl000734; Fri, 18 May 2007 15:34:22 -0400 (EDT) Message-ID: <001e01c79983$7c572580$0200a8c0@satellite> From: "Dave" To: "Greg Hennessy" , References: <000301c798e6$d51bfdf0$0200a8c0@satellite> <000d01c7991a$cff492e0$6fddb8a0$%Hennessy@nviz.net> Date: Fri, 18 May 2007 15:34:00 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Cc: Subject: Re: ftp, pf, passive ftp and fetch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 19:34:23 -0000 Hi Greg, Thanks for your informative reply. You've convince me i'm going passive, that sentence it's less of a PITA i think did it. Right now ftp is proving to be just that, it's flakey some machines are fine with it, one windows box, xpsp2 and ie6 works fine, another same config can't resolve the ftp sites. And i guess i just won't use the ftp commandline option, i don't like it anyway i'm spoiled on ncftp. I've got pftpx going on the router, and have pf set up with the appropriate anchors, but clients are as i said flakey, one works fine, some work intermitantly and some don't work at all. It is perplexing. Thanks. Dave. ----- Original Message ----- From: "Greg Hennessy" To: "'Dave'" ; Sent: Friday, May 18, 2007 3:04 AM Subject: RE: ftp, pf, passive ftp and fetch >> Hi, >> I'm trying to get ftp working from behind a pf firewall. I'm using >> pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of >> my >> windows boxes goes passive and dies on active. > > Command line FTP client in windows is active only. > >> I've got three questions. First, >> portupgrade uses fetch for retrieval correct, if so i want it to use >> the -p (passive option) by default whenever it tries an ftp url. > > gw2:~ # set | grep -i ftp > FTP_PASSIVE_MODE=1 > >> Second, ncftp i'd like to specify that it should use passive mode > connections >> by default as well. > > gw2:~ # grep -i passive .ncftp/prefs_v3 > passive=on > > >> Last, is active or passive ftp better in terms of security >> strictly from a firewall perspective, i know the protocol isn't secure? > > Passive is less of a PITA, (that's not saying much). > One doesn't have to handle ingress traffic initiated from the server. > > However one either has to leave high ports open or use a L7 proxy to > dynamically open > the firewall for each request, hence pftpx. > >> If active ftp is better than passive does anyone have a ruleset with it? >> I'm using a block by default ruleset. > > I haven't used active FTP for years TBH. I have had serious arguments with > vendors and suppliers who tried to insist on its use through environments > I > have had responsibility for. > > > > Greg > > > > >> Thanks. >> Dave. >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >