From owner-freebsd-questions Fri May 11 9:38:17 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id CB01337B43E for ; Fri, 11 May 2001 09:38:12 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 74760 invoked by uid 100); 11 May 2001 16:38:11 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15100.5491.929121.957331@guru.mired.org> Date: Fri, 11 May 2001 11:38:11 -0500 To: "Artem Koutchine" Cc: questions@freebsd.org Subject: Re: Allow rules for ipfw for active ftp In-Reply-To: <5989250@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Artem Koutchine types: > Is it possive to allow active (as opposite to passive) > ftp connection using ipfw rules? Yes, it's possible. You need to allow access from any arbitrary TCP port - though restricting to ports > 1024 will probably work - to either any port in 1024-4999, or any port in 49152-65535, or both, depending on your ftp server and system configuration. And that may not be sufficient. The higher port range is generally safe, but the lower one has lots of interesting things living in it that I'd rather *not* have accessible through the firewall. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message