From owner-freebsd-questions Thu Oct 25 5:58: 0 2001 Delivered-To: freebsd-questions@freebsd.org Received: from caladan.tdx.co.uk (caladan2.tdx.co.uk [62.13.128.200]) by hub.freebsd.org (Postfix) with ESMTP id D313E37B401 for ; Thu, 25 Oct 2001 05:57:55 -0700 (PDT) Received: from geko (nodnsyet.dmpriest.net.uk [62.13.128.68] (may be forged)) by caladan.tdx.co.uk (8.11.4/8.11.4/Kp) with ESMTP id f9O83Co74005; Wed, 24 Oct 2001 09:03:12 +0100 (BST) Date: Thu, 25 Oct 2001 13:57:31 +0100 From: Karl Pielorz To: "Patrick O'Reilly" , FreeBSD Question List Subject: Re: ipfw rules for FTP - passive vs. active Message-ID: <515708619.1004018251@geko> In-Reply-To: References: X-Mailer: Mulberry/2.1.0 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 25 October 2001 14:51 +0200 Patrick O'Reilly wrote, This question isn't really FreeBSD related? :( - If you look in /etc/rc.firewall - theres a recomendation on a couple of good books that would help you :) Having said all that.... > I must point out that I have never got around to understanding the > capabilities of ipfw's stateful rules. If therein lies the solution then > just a gentle prod with the clue stick would be much appreciated. FTP is a notoriously hard protocol to firewall, because as you've found out - it needs connections to arbitary ports on both machines, both ways... Infact, we almost gave up - we have our FTP server bound to a single IP address, and just firewall to that, permitting access to ports 20/21 etc. - and to any port over 1024. We then make absolutely certain there are no other services bound to that IP address (e.g. if someone went and installed MySQL - and bound it to that port, that would be bad, as MySQL runs on port 3306 or similar, which would be allowed by the rules)... Infact, as a kind of failsafe, I think we actually blocked MySQL, and a couple of other high-port services deliberately to that IP, 'just in case' -Kp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message