Date: Thu, 25 Oct 2001 11:53:35 -0500 From: Mike Meyer <mwm@mired.org> To: "Patrick O'Reilly" <patrick@mip.co.za> Cc: questions@freebsd.org Subject: RE: ipfw rules for FTP - passive vs. active Message-ID: <15320.17295.222857.730255@guru.mired.org> In-Reply-To: <117437109@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick O'Reilly <patrick@mip.co.za> types: > Karl, > > thanks for your response. I guess I am just a few steps behind you, and > desperately hoping NOT to get to the point of giving up. It *is* possible. It's not easy. > PS: I posted to FreeBSD because I'm using ipfw and was hoping that ipfw > might have the silver bullet I need. If so, that is FreeBSD specific. > Anyway, I'm starting to dig deeper into what keep-state can and cannot do. keep-state can't do this for you. It can be used to replace the "established" rule you have for TCP, and there are pluses and minuses to that. Using it for UDP is the real win, as it allows the return packets through without jumping through hoops to do it. The problem is that FTP does very much magic which very few people use. But allowing for that magic in a firewall is a major PITA - *especially* if both sides want firewalls! Here are the ways I know around it: 1: Force your remote users to use active FTP. 2: Blow off ftp and put everything on a XXXXXX server that don't do the magic and so don't have these problems. HTTP and various P2P tools come to mind. 3: Open a *large* hole, either 1024-4999 or 49152-65535 depending on the configuration of the base system ftpd. If you're using a different ftpd, you'll have to check it's documentation. 4: Install an FTP proxy server outside the firewall. You then open holes as above, but only for the proxy server, not for everyone. 5: Use firewall software that understands the ftp protocol, and adds a dynamic rule for the incoming connection when the appropriate packets go by. If there's another one, I haven't run into it. I've implemented all of the above at one time or another, and prefer #2. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Q: How do you make the gods laugh? A: Tell them your plans. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15320.17295.222857.730255>