Date: Fri, 11 Oct 2002 18:10:08 -0600 From: "Grant Cooper" <grant.cooper@nucleus.com> To: <tristan11@mindspring.com>, <freebsd-questions@freebsd.org> Subject: Re: ipfw rules Message-ID: <00b801c27183$bd3951e0$91fccecd@TCOOPER> References: <Springmail.0994.1034371983.0.54062400@webmail.atl.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I am having the same problem. I now just allow ftp from certain IP address's. But doesn't the second rule, # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup keep-state kind of beat's the purpose of a firewall. That's a lot of open ports. I thought IPFW had a way to remember the ports opened by ftp and creates rules dynamically based on the ports opened buy ftp. ----- Original Message ----- From: <tristan11@mindspring.com> To: <freebsd-questions@freebsd.org> Sent: Friday, October 11, 2002 3:33 PM Subject: re: ipfw rules > i was finally able to get ftp (using passive ftp) to work through our > firewall. these are the rules I had to add: > > # /sbin/ipfw 10000 allow tcp from any 1024-65535 to any 21 out setup > keep-state > # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup > keep-state > > the first rule (10000) allows our server to connect via any high port to any > server out there on port 21(ftp). this is to initiate the 'control > connection'. > > the second rule (10001) allows anyone to connect via high ports to and from > our server. this is for the data transfer part. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00b801c27183$bd3951e0$91fccecd>