From owner-freebsd-questions  Sat May 12  6:59:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98])
	by hub.freebsd.org (Postfix) with ESMTP id 68D4337B424
	for <questions@FreeBSD.ORG>; Sat, 12 May 2001 06:59:11 -0700 (PDT)
	(envelope-from matrix@ipform.ru)
Received: from wp2 (localhost.ipform.ru [127.0.0.1])
	by osiris.ipform.ru (8.11.3/8.11.3) with SMTP id f4CDwgC28624;
	Sat, 12 May 2001 17:58:42 +0400 (MSD)
	(envelope-from matrix@ipform.ru)
Message-ID: <006001c0daeb$a7ed7260$0c00a8c0@ipform.ru>
From: "Artem Koutchine" <matrix@ipform.ru>
To: "Paul Herman" <pherman@frenchfries.net>,
	"Mike Meyer" <mwm@mired.org>
Cc: <questions@FreeBSD.ORG>
References: <Pine.BSF.4.33.0105111943380.34173-100000@husten.security.at12.de>
Subject: Re: Allow rules for ipfw for active ftp
Date: Sat, 12 May 2001 17:58:34 +0400
Organization: IP Form
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> On Fri, 11 May 2001, Mike Meyer wrote:
>
> > Artem Koutchine <matrix@ipform.ru> types:
> > > Is it possive to allow active (as opposite to passive)
> > > ftp connection using ipfw rules?
> >
> > Yes, it's possible. You need to allow access from any arbitrary
TCP
> > port - though restricting to ports > 1024 will probably work - to
> > either any port in 1024-4999, or any port in 49152-65535, or both,
> > depending on your ftp server and system configuration. And that
may
> > not be sufficient.
>
> I've used the '-punch_fw' option to natd(8) with relatively good
> results.

Tried that w/o any result. I don't even understand how it might help
in ftp connection or even how punch_fw should help at all. The client
is behind the firewall. The server is open wide. Server want to
connect
from arbitrary port to clients arbitrary port. There is not  way
firewall
could now that this connection is related to the already established
ftp command connection. So, how does -punch_fw help?

Artem


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message