Date: Fri, 26 Oct 2001 10:57:29 -0700 (PDT) From: X Philius <xphilius@yahoo.com> To: Mike Meyer <mwm@mired.org>, Patrick O'Reilly <patrick@mip.co.za> Cc: questions@freebsd.org Subject: RE: ipfw rules for FTP - passive vs. active Message-ID: <20011026175729.89251.qmail@web11808.mail.yahoo.com> In-Reply-To: <15320.17295.222857.730255@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike, I've got a related question. I have a set of IPFW rules that work pretty well. With the Mac and PC FTP clients I use, it works fine as long as I force active mode. However, I have been having problems accessing the server with terminal style FTP clients, either from other *nix machines or from NT. I can connect fine, but as soon as I try to 'put' or 'ls' it tries to switch to passive mode and just hangs. I swear I have read the entire man pages for the FTP client that comes with FreeBSD, and I know the -p flag forces passive mode, but how do you force active mode? Thanks in advance. Jason --- Mike Meyer <mwm@mired.org> wrote: > Patrick O'Reilly <patrick@mip.co.za> types: > > Karl, > > > > thanks for your response. I guess I am just a few steps behind > you, and > > desperately hoping NOT to get to the point of giving up. > > It *is* possible. It's not easy. > > > PS: I posted to FreeBSD because I'm using ipfw and was hoping that > ipfw > > might have the silver bullet I need. If so, that is FreeBSD > specific. > > Anyway, I'm starting to dig deeper into what keep-state can and > cannot do. > > keep-state can't do this for you. It can be used to replace the > "established" rule you have for TCP, and there are pluses and minuses > to that. Using it for UDP is the real win, as it allows the return > packets through without jumping through hoops to do it. > > The problem is that FTP does very much magic which very few people > use. But allowing for that magic in a firewall is a major PITA - > *especially* if both sides want firewalls! Here are the ways I know > around it: > > 1: Force your remote users to use active FTP. > > 2: Blow off ftp and put everything on a XXXXXX server that don't do > the magic and so don't have these problems. HTTP and various P2P > tools come to mind. > > 3: Open a *large* hole, either 1024-4999 or 49152-65535 depending on > the configuration of the base system ftpd. If you're using a > different ftpd, you'll have to check it's documentation. > > 4: Install an FTP proxy server outside the firewall. You then open > holes as above, but only for the proxy server, not for everyone. > > 5: Use firewall software that understands the ftp protocol, and adds > a > dynamic rule for the incoming connection when the appropriate > packets go by. > > If there's another one, I haven't run into it. I've implemented all > of > the above at one time or another, and prefer #2. > > <mike > -- > Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ > Q: How do you make the gods laugh? A: Tell them your plans. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011026175729.89251.qmail>