From owner-freebsd-security Wed Sep 19 2:25:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f15.pav1.hotmail.com [64.4.31.15]) by hub.freebsd.org (Postfix) with ESMTP id 441A137B420 for ; Wed, 19 Sep 2001 02:25:50 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 19 Sep 2001 02:25:49 -0700 Received: from 203.150.154.5 by pv1fd.pav1.hotmail.msn.com with HTTP; Wed, 19 Sep 2001 09:25:45 GMT X-Originating-IP: [203.150.154.5] From: "Mick Nicila" To: chutima_s@zdnetonebox.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to config ipfw for ftp server Date: Wed, 19 Sep 2001 16:25:45 +0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 19 Sep 2001 09:25:49.0404 (UTC) FILETIME=[11DA71C0:01C140ED] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Chutima, FTP uses separate command and data connections. By default FTP servers work in Active mode, where the server listens on port 21 for command; data connections are initiated by the server from its port 20 (ftp-data), to a random port on the client. This is the case your firewall will not allow. In this case, you may allow connections initiated from server port 20 to port > 1024 outside. I don't know exactly how to set the ipfw rules. On the other hand, Passive mode causes the client to open both connections to the server. Data connection is opened from a random port on the clients to a random port on the server. This case is also prohibited by your firewall. It is rather complicated to deal since both client and server port numbers are randomized. You may need special ftp proxy, I think. Note that Internet Explorer and Netscape are usually set to work in Passive mode, whilst FTP software is often set to work in Active mode. This setting can be changed in most FTP software. On Tue, 18 Sep 2001, Chutima S. wrote: >I try to config ipfw to allow outside world can connect to ftpserver(real >IP) behide my firewall. > >I config rules as: > >ipfw add pass tcp from any to 21 setup > >After I test it, I found that I can login to ftpserver but can not get >data connection like GET, List for files. Does it about ftp-data port >or passive mode? How I config it to work with normal ftpserver? > >Thanks >Chutima S. > >-- >Chutima Subsirin >chutima_s@zdnetonebox.com - email >(202) 777-2641 ext. 6020 - voicemail/fax > > > >___________________________________________________________________ >To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, >all in one place - sign up today at http://www.zdnetonebox.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message