From owner-freebsd-questions  Fri Oct 11 17: 6:13 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1365E37B401
	for <freebsd-questions@freebsd.org>; Fri, 11 Oct 2002 17:06:12 -0700 (PDT)
Received: from mail.nucleus.com (mail.nucleus.com [207.34.93.23])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 26EE943E6E
	for <freebsd-questions@freebsd.org>; Fri, 11 Oct 2002 17:06:11 -0700 (PDT)
	(envelope-from grant.cooper@nucleus.com)
Received: from TCOOPER (unverified [205.206.252.145]) by mail.nucleus.com
 (Vircom SMTPRS 1.4.232) with SMTP id <B0064270130@mail.nucleus.com>;
 Fri, 11 Oct 2002 18:06:10 -0600
Message-ID: <00b801c27183$bd3951e0$91fccecd@TCOOPER>
From: "Grant Cooper" <grant.cooper@nucleus.com>
To: <tristan11@mindspring.com>, <freebsd-questions@freebsd.org>
References: <Springmail.0994.1034371983.0.54062400@webmail.atl.earthlink.net>
Subject: Re: ipfw rules
Date: Fri, 11 Oct 2002 18:10:08 -0600
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I am having the same problem. I now just allow ftp from certain IP
address's. But doesn't the second rule,

# /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup
keep-state

kind of beat's the purpose of a firewall. That's a lot of open ports. I
thought IPFW had a way to remember the ports opened by ftp and creates rules
dynamically based on the ports opened buy ftp.

----- Original Message -----
From: <tristan11@mindspring.com>
To: <freebsd-questions@freebsd.org>
Sent: Friday, October 11, 2002 3:33 PM
Subject: re: ipfw rules


> i was finally able to get ftp (using passive ftp) to work through our
> firewall.  these are the rules I had to add:
>
> # /sbin/ipfw 10000 allow tcp from any 1024-65535 to any 21 out setup
> keep-state
> # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup
> keep-state
>
> the first rule (10000) allows our server to connect via any high port to
any
> server out there on port 21(ftp).  this is to initiate the 'control
> connection'.
>
> the second rule (10001) allows anyone to connect via high ports to and
from
> our server.  this is for the data transfer part.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message