Date: Sat, 28 Dec 2002 13:19:29 -0600 From: Hari Bhaskaran <subscr@spider.netmails.net> To: freebsd-questions@freebsd.org Subject: Allowing outgoing passive ftp via IPFILTER Message-ID: <20021228131929.A38922@spider.netmails.net>
next in thread | raw e-mail | index | archive | help
Hi,
I have an IPFILTER firewall that, ideally, should not
allow any arbitrary outgoing connections. So right
now, I only allow 25, 80 and 21. The machine itself
is behind one more firewall (at least temporarily)
so that I can't do active ftp even if the IPFILTER
does any kind of proxying.
Is there a way to allow passive *outgoing* ftp via
IPFILTER. I have tried using dummy IPNAT via
map 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
(after enabling ipnat_enable=yes in /etc/rc.conf)
That didn't work either.
The docs I read didn't make it clear if the IPFILTER's
proxy is trying to proxy a ftp server behind a firewall
or an ftp client behind a firewall. In my case I am
not running any ftp service. I am merely
just trying to get an ftp client to work.
So short of
passs out quick on fxp0 proto tcp any to any
is there a way I can make IPFILTER temporarily
enable an 'destination' port based on the current
ftp session.
I would be the only one using ftp from this machine,
so even if I could force the ftp-server (probably not,
since I am only a remote client) to use a pre-set
port on its end for passive ftp connections, even
that is fine.
BTW, if ipfw or ipchains or any such alternatives
can do this, I am also ready to switch to that
firewall setup.
--
Hari Bhaskaran
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021228131929.A38922>