Date: Sat, 12 May 2001 23:32:47 +0400 From: "Artem Koutchine" <matrix@ipform.ru> To: "Paul Herman" <pherman@frenchfries.net> Cc: "Mike Meyer" <mwm@mired.org>, <questions@FreeBSD.ORG> Subject: Re: Allow rules for ipfw for active ftp Message-ID: <000e01c0db1a$587e9fe0$0c00a8c0@ipform.ru> References: <Pine.BSF.4.33.0105121810530.11676-100000@husten.security.at12.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > I've used the '-punch_fw' option to natd(8) with relatively good > > > results. > > > > The client is behind the firewall. The server is open wide. Server > > want to connect from arbitrary port to clients arbitrary port. > > There is no way firewall could know that this connection is > > related to the already established ftp command connection. So, how > > does -punch_fw help? > > That's exactly what it does. When "natd -punch_fw" is running on the > client's firewall, it sees the FTP "PORT" commands and dynamically > inserts a rule into the firewall which allows the server to connect to > the client. You are saying that ipfw KNOWS ftp protocol and can look inside it to undertstand what's going on? While this looks very unrealistic, I will believe you for a moment. I tried adding -punch_fw and it did not change a thing for me (FreeBSD 4.3-STABLE cvsupped and make world'ed today). Still not active ftp connections. I admit, that the problem could be somewhere else, but i don't know how to debug firewall in this case (how should i see what punch_fw does or what natd sees?). Could you send me you ipfw setup, or should i send you mine? Regards, Artem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000e01c0db1a$587e9fe0$0c00a8c0>