Date: Mon, 20 Nov 2000 15:50:21 -0500 (EST) From: x@asdf.com To: freebsd-questions@freebsd.org Subject: ipfw, dynamic rules, and passive ftp Message-ID: <Pine.BSF.4.21.0011201523470.71768-100000@bellona.asdf.com>
next in thread | raw e-mail | index | archive | help
Hello
I'm trying to set up one of our fbsd machines (3.5-Stable, though I
haven't cvsuped in a while) that has a firewall (ipfw) to allow passive
FTP in. Active works fine, but if someone is behind a firewall or is using
NAT they need to go in as passive, however, the default way I had our ipfw
rules set up wouldn't let passive in. I got it to allow it with these
rules:
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow FTP
$fwcmd add pass tcp from any 1024-65535 to ${ip} 21 setup
$fwcmd add pass tcp from any 1024-65535 to ${ip} 20 setup
$fwcmd add pass tcp from any 1024-65535 to ${ip} 1024-65535 setup
The first and second FTP rules catch regular FTP, and then the established
rule catches it from there. The last FTP rule is for passive. The thing
is, I don't like it like this since it opens up a lot of high ports all
the time.
What I would like to do is have ipfw automatically create the third FTP
rule dynamically when the first rule is hit, then only keep it open for a
a bit and then close it. That way the ports will only be open for a little
bit. Then it can go away and the established rule will take over. Is this
possible? I've been reading up on it but haven't been able to find (or
understand) how to set it up. If this can not be done, is this the best
way to have the ipfw rules for FTP?
Thanks!
Dan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011201523470.71768-100000>