From owner-freebsd-hackers Fri Jan 3 01:34:59 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA10125 for hackers-outgoing; Fri, 3 Jan 1997 01:34:59 -0800 (PST) Received: from mail.cdsnet.net (mail.cdsnet.net [204.118.244.5]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA10120 for ; Fri, 3 Jan 1997 01:34:57 -0800 (PST) Received: from mail.cdsnet.net (mail.cdsnet.net [204.118.244.5]) by mail.cdsnet.net (8.7.6/8.7.3) with SMTP id BAA11894 for ; Fri, 3 Jan 1997 01:34:55 -0800 (PST) Date: Fri, 3 Jan 1997 01:34:55 -0800 (PST) From: Jaye Mathisen To: hackers@freebsd.org Subject: Stupid ipfw question. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Why doesn't the following 2 rules allow any type of outbound TCP connection? /sbin/ipfw add pass tcp from ${ip} to any setup /sbin/ipfw add pass tcp from any to any established Basically my FTP's are failing, but work fine in passive mode. I must be missing something obvious with the PORT commands, most likely it being that the port command is from the remote host to my host, but since I don't know what port it will be, I have to leave a bunch of them open, which seems to be a problematic issue for firewalling. However, I'm using squid, and it doesn't seem to support PASV ftp retrievals, so I'm not sure what the safest thing to do is. ftpget (part of squid) does support a "range" notation for data, but I don't think there's a range argument to ipfw. Nor have I seen a range argument that can be passed to the remote FTP server. So what's the right thing to do here? Accept TCP connections above 1023? Seems fraught with peril...