From owner-freebsd-net Wed Jun 19 4: 0:50 2002 Delivered-To: freebsd-net@freebsd.org Received: from viefep13-int.chello.at (viefep13-int.chello.at [213.46.255.15]) by hub.freebsd.org (Postfix) with ESMTP id 30E4937B405 for ; Wed, 19 Jun 2002 04:00:43 -0700 (PDT) Received: from www.wsf.at ([212.186.91.40]) by viefep13-int.chello.at (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with SMTP id <20020619105957.KDZO9315.viefep13-int.chello.at@www.wsf.at> for ; Wed, 19 Jun 2002 12:59:57 +0200 subject: natd punch_fw for passive ftp ? Message-Id: <20020619105957.KDZO9315.viefep13-int.chello.at@www.wsf.at> Date: Wed, 19 Jun 2002 13:00:41 +0200 From: net@wsf.at To: undisclosed-recipients:; Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, (I hope this is the right list) I am in doubt about my understanding of the punch_fw option in natd, running on the client side: Should this option create temporary rules for passive ftp or not ? If it should - it does not (at least not on my 4.5-RELEASE box) If it should not - is there a reason for this difference compared to active mode ? What I try to setup is a ipfw-ruleset for strictly checking the flow between several interfaces. So I allow established traffic and only SYN packets to specfied ports, based on recv/xmit interface. As usual, ftp causes the biggest problems. Active ftp works fine using punch_fw but passive mode would require to open all high ports for outgoing SYN - exactly what I try to avoid. Any hints are welcome, Thanks Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message