Date: Sat, 12 May 2001 17:58:34 +0400 From: "Artem Koutchine" <matrix@ipform.ru> To: "Paul Herman" <pherman@frenchfries.net>, "Mike Meyer" <mwm@mired.org> Cc: <questions@FreeBSD.ORG> Subject: Re: Allow rules for ipfw for active ftp Message-ID: <006001c0daeb$a7ed7260$0c00a8c0@ipform.ru> References: <Pine.BSF.4.33.0105111943380.34173-100000@husten.security.at12.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Fri, 11 May 2001, Mike Meyer wrote: > > > Artem Koutchine <matrix@ipform.ru> types: > > > Is it possive to allow active (as opposite to passive) > > > ftp connection using ipfw rules? > > > > Yes, it's possible. You need to allow access from any arbitrary TCP > > port - though restricting to ports > 1024 will probably work - to > > either any port in 1024-4999, or any port in 49152-65535, or both, > > depending on your ftp server and system configuration. And that may > > not be sufficient. > > I've used the '-punch_fw' option to natd(8) with relatively good > results. Tried that w/o any result. I don't even understand how it might help in ftp connection or even how punch_fw should help at all. The client is behind the firewall. The server is open wide. Server want to connect from arbitrary port to clients arbitrary port. There is not way firewall could now that this connection is related to the already established ftp command connection. So, how does -punch_fw help? Artem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006001c0daeb$a7ed7260$0c00a8c0>