From owner-freebsd-questions  Fri May 11 10:46:20 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109])
	by hub.freebsd.org (Postfix) with ESMTP id BEE5837B423
	for <questions@FreeBSD.ORG>; Fri, 11 May 2001 10:46:15 -0700 (PDT)
	(envelope-from pherman@frenchfries.net)
Received: from husten.security.at12.de (dial-213-168-91-42.netcologne.de [213.168.91.42])
	by mr200.netcologne.de (Mirapoint)
	with ESMTP id AFJ21878;
	Fri, 11 May 2001 19:46:13 +0200 (CEST)
Received: from localhost (localhost.security.at12.de [127.0.0.1])
	by husten.security.at12.de (8.11.3/8.11.3) with ESMTP id f4BHjwU61060;
	Fri, 11 May 2001 19:45:58 +0200 (CEST)
	(envelope-from pherman@frenchfries.net)
Date: Fri, 11 May 2001 19:45:57 +0200 (CEST)
From: Paul Herman <pherman@frenchfries.net>
To: Mike Meyer <mwm@mired.org>
Cc: Artem Koutchine <matrix@ipform.ru>, <questions@FreeBSD.ORG>
Subject: Re: Allow rules for ipfw for active ftp
In-Reply-To: <15100.5491.929121.957331@guru.mired.org>
Message-ID: <Pine.BSF.4.33.0105111943380.34173-100000@husten.security.at12.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 11 May 2001, Mike Meyer wrote:

> Artem Koutchine <matrix@ipform.ru> types:
> > Is it possive to allow active (as opposite to passive)
> > ftp connection using ipfw rules?
>
> Yes, it's possible. You need to allow access from any arbitrary TCP
> port - though restricting to ports > 1024 will probably work - to
> either any port in 1024-4999, or any port in 49152-65535, or both,
> depending on your ftp server and system configuration. And that may
> not be sufficient.

I've used the '-punch_fw' option to natd(8) with relatively good
results.

-Paul.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message