Date: Thu, 25 Oct 2001 13:57:31 +0100 From: Karl Pielorz <kpielorz@tdx.co.uk> To: "Patrick O'Reilly" <patrick@mip.co.za>, FreeBSD Question List <freebsd-questions@FreeBSD.ORG> Subject: Re: ipfw rules for FTP - passive vs. active Message-ID: <515708619.1004018251@geko> In-Reply-To: <NDBBIMKICMDGDMNOOCAIKECNDMAA.patrick@mip.co.za> References: <NDBBIMKICMDGDMNOOCAIKECNDMAA.patrick@mip.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25 October 2001 14:51 +0200 Patrick O'Reilly wrote, This question isn't really FreeBSD related? :( - If you look in /etc/rc.firewall - theres a recomendation on a couple of good books that would help you :) Having said all that.... > I must point out that I have never got around to understanding the > capabilities of ipfw's stateful rules. If therein lies the solution then > just a gentle prod with the clue stick would be much appreciated. FTP is a notoriously hard protocol to firewall, because as you've found out - it needs connections to arbitary ports on both machines, both ways... Infact, we almost gave up - we have our FTP server bound to a single IP address, and just firewall to that, permitting access to ports 20/21 etc. - and to any port over 1024. We then make absolutely certain there are no other services bound to that IP address (e.g. if someone went and installed MySQL - and bound it to that port, that would be bad, as MySQL runs on port 3306 or similar, which would be allowed by the rules)... Infact, as a kind of failsafe, I think we actually blocked MySQL, and a couple of other high-port services deliberately to that IP, 'just in case' -Kp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?515708619.1004018251>