From owner-freebsd-questions Sat Dec 28 11:20:28 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4400137B401 for ; Sat, 28 Dec 2002 11:20:27 -0800 (PST) Received: from spider.netmails.net (dsl-65-189-239-65.telocity.com [65.189.239.65]) by mx1.FreeBSD.org (Postfix) with SMTP id 545F143ED4 for ; Sat, 28 Dec 2002 11:20:26 -0800 (PST) (envelope-from subscr@spider.netmails.net) Received: (qmail 38987 invoked by uid 1014); 28 Dec 2002 19:19:29 -0000 Date: Sat, 28 Dec 2002 13:19:29 -0600 From: Hari Bhaskaran To: freebsd-questions@freebsd.org Subject: Allowing outgoing passive ftp via IPFILTER Message-ID: <20021228131929.A38922@spider.netmails.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I have an IPFILTER firewall that, ideally, should not allow any arbitrary outgoing connections. So right now, I only allow 25, 80 and 21. The machine itself is behind one more firewall (at least temporarily) so that I can't do active ftp even if the IPFILTER does any kind of proxying. Is there a way to allow passive *outgoing* ftp via IPFILTER. I have tried using dummy IPNAT via map 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp (after enabling ipnat_enable=yes in /etc/rc.conf) That didn't work either. The docs I read didn't make it clear if the IPFILTER's proxy is trying to proxy a ftp server behind a firewall or an ftp client behind a firewall. In my case I am not running any ftp service. I am merely just trying to get an ftp client to work. So short of passs out quick on fxp0 proto tcp any to any is there a way I can make IPFILTER temporarily enable an 'destination' port based on the current ftp session. I would be the only one using ftp from this machine, so even if I could force the ftp-server (probably not, since I am only a remote client) to use a pre-set port on its end for passive ftp connections, even that is fine. BTW, if ipfw or ipchains or any such alternatives can do this, I am also ready to switch to that firewall setup. -- Hari Bhaskaran To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message