From owner-freebsd-questions Thu Oct 25 9:53:44 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-31-203-60.mmcable.com [65.31.203.60]) by hub.freebsd.org (Postfix) with SMTP id 6F22D37B401 for ; Thu, 25 Oct 2001 09:53:36 -0700 (PDT) Received: (qmail 28978 invoked by uid 100); 25 Oct 2001 16:53:35 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15320.17295.222857.730255@guru.mired.org> Date: Thu, 25 Oct 2001 11:53:35 -0500 To: "Patrick O'Reilly" Cc: questions@freebsd.org Subject: RE: ipfw rules for FTP - passive vs. active In-Reply-To: <117437109@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Patrick O'Reilly types: > Karl, > > thanks for your response. I guess I am just a few steps behind you, and > desperately hoping NOT to get to the point of giving up. It *is* possible. It's not easy. > PS: I posted to FreeBSD because I'm using ipfw and was hoping that ipfw > might have the silver bullet I need. If so, that is FreeBSD specific. > Anyway, I'm starting to dig deeper into what keep-state can and cannot do. keep-state can't do this for you. It can be used to replace the "established" rule you have for TCP, and there are pluses and minuses to that. Using it for UDP is the real win, as it allows the return packets through without jumping through hoops to do it. The problem is that FTP does very much magic which very few people use. But allowing for that magic in a firewall is a major PITA - *especially* if both sides want firewalls! Here are the ways I know around it: 1: Force your remote users to use active FTP. 2: Blow off ftp and put everything on a XXXXXX server that don't do the magic and so don't have these problems. HTTP and various P2P tools come to mind. 3: Open a *large* hole, either 1024-4999 or 49152-65535 depending on the configuration of the base system ftpd. If you're using a different ftpd, you'll have to check it's documentation. 4: Install an FTP proxy server outside the firewall. You then open holes as above, but only for the proxy server, not for everyone. 5: Use firewall software that understands the ftp protocol, and adds a dynamic rule for the incoming connection when the appropriate packets go by. If there's another one, I haven't run into it. I've implemented all of the above at one time or another, and prefer #2. http://www.mired.org/home/mwm/ Q: How do you make the gods laugh? A: Tell them your plans. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message