From owner-freebsd-questions Fri Oct 26 0:43:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id C5BC137B406 for ; Fri, 26 Oct 2001 00:43:07 -0700 (PDT) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id JAA08420; Fri, 26 Oct 2001 09:42:01 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "Mike Meyer" Cc: Subject: RE: ipfw rules for FTP - passive vs. active Date: Fri, 26 Oct 2001 09:45:40 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <15320.17295.222857.730255@guru.mired.org> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Mike, > It *is* possible. It's not easy. thank you :) > keep-state can't do this for you. It can be used to replace the > "established" rule you have for TCP, and there are pluses and minuses > to that. Using it for UDP is the real win, as it allows the return > packets through without jumping through hoops to do it. Having now carefully read up on ipfw's keep-state I figured out pretty much what you said here. Thanks for the confirmation. > The problem is that FTP does very much magic which very few people > use. But allowing for that magic in a firewall is a major PITA - > *especially* if both sides want firewalls! Agreed! I've seen that most people firewalling an FTP server insist on using active FTP connections (like me), and most people firewalling their LANs prefer the simple method of allowing out-bound TCP setups only, and hence insist on passive FTP. Catch 22! >Here are the ways I know around it: > > 1: Force your remote users to use active FTP. > > 2: Blow off ftp and put everything on a XXXXXX server that don't do > the magic and so don't have these problems. HTTP and various P2P > tools come to mind. > > 3: Open a *large* hole, either 1024-4999 or 49152-65535 depending on > the configuration of the base system ftpd. If you're using a > different ftpd, you'll have to check it's documentation. > > 4: Install an FTP proxy server outside the firewall. You then open > holes as above, but only for the proxy server, not for everyone. > > 5: Use firewall software that understands the ftp protocol, and adds a > dynamic rule for the incoming connection when the appropriate > packets go by. > > If there's another one, I haven't run into it. I've implemented all of > the above at one time or another, and prefer #2. > I have been using option (1) till now, but the pressure to back down is mounting. I'll look into (2). My FTP is not for general anonymous access. It is for exchange of data between trading partners, so I need to cater for "secure" connections with login and password controlling access to the server (don't laugh too loud please - I know FTPs "security" is, well, weak, but the users feel better knowing that they have given a password!). Will HTTP cater for file up-and-down loads with user authentication? I've tried pushing people to use scp (Putty's sister called pscp does a great job on Windoze platforms). However, the resistance to change is mind-boggling! :( And that resistance comes from the very same people who insist on having "secure" FTP logins and passwords. Go figure! Thanks Mike. Regards, Patrick O'Reilly. ----------------- I find this a nice feature but it is not according to the documentation. Or is it a BUG? Let's call it an accidental feature. :-) -- Larry Wall in <6909@jpl-devvax.JPL.NASA.GOV> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message