From owner-freebsd-questions Sat May 12 9:19:35 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 4083337B43E for ; Sat, 12 May 2001 09:19:29 -0700 (PDT) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-73-165.netcologne.de [213.168.73.165]) by mr200.netcologne.de (Mirapoint) with ESMTP id AFK07931; Sat, 12 May 2001 18:19:25 +0200 (CEST) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.3/8.11.3) with ESMTP id f4CGIx928641; Sat, 12 May 2001 18:18:59 +0200 (CEST) (envelope-from pherman@frenchfries.net) Date: Sat, 12 May 2001 18:18:59 +0200 (CEST) From: Paul Herman To: Artem Koutchine Cc: Mike Meyer , Subject: Re: Allow rules for ipfw for active ftp In-Reply-To: <006001c0daeb$a7ed7260$0c00a8c0@ipform.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 12 May 2001, Artem Koutchine wrote: > > I've used the '-punch_fw' option to natd(8) with relatively good > > results. > > The client is behind the firewall. The server is open wide. Server > want to connect from arbitrary port to clients arbitrary port. > There is no way firewall could know that this connection is > related to the already established ftp command connection. So, how > does -punch_fw help? That's exactly what it does. When "natd -punch_fw" is running on the client's firewall, it sees the FTP "PORT" commands and dynamically inserts a rule into the firewall which allows the server to connect to the client. I set this up once because I was running check-state rules, which of course would allow passive mode, but the users wanted active mode as well. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message