Date: Wed, 19 Sep 2001 10:32:37 +0200 (CEST) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: "Chutima S." <chutima_s@zdnetonebox.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to config ipfw for ftp server Message-ID: <Pine.BSF.4.21.0109191016110.472-100000@lhotse.zaraska.dhs.org> In-Reply-To: <20010919063403.QVBU12230.mta10.onebox.com@onebox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 18 Sep 2001, Chutima S. wrote:
> I try to config ipfw to allow outside world can connect to ftpserver(real
> IP) behide my firewall.
>
> I config rules as:
>
> ipfw add pass tcp from any to <ftpserverIP> 21 setup
>
> After I test it, I found that I can login to ftpserver but can not get
> data connection like GET, List for files. Does it about ftp-data port
> or passive mode? How I config it to work with normal ftpserver?
In "normal" FTP when a request is sent from client the server connects
_back_ to the client ("active mode"). So theoretically if your firewall
allows an FTP server to initiate outbound connection it should be fine.
Nowadays, however, more and more clients use "passive" mode (PASV
command), where client connects to the server for data transfer. That
solves the problem with firewalled client, but leads to problem with
firewalled server.
I don't know the solution with ipfw, but IIRC with ipfilter it is possible
to make firewall watch for FTP transfer requests and add temporary rules
passing the ftp data connections. See ipf docs for details.
Alternatively, you may restrict the port range used by ftp daemon for
passive transfers and then open this port range on firewall.
Unfortunately, this may lead to opening a hole in security if you had some
server listening in this port range. Your mileage may wary.
Krzysztof
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109191016110.472-100000>