From owner-freebsd-security Wed Dec 20 5: 6:40 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 05:06:38 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pps.de (mail.pps.de [217.13.200.134]) by hub.freebsd.org (Postfix) with ESMTP id B399B37B402 for ; Wed, 20 Dec 2000 05:06:37 -0800 (PST) Received: (from petros@localhost) by pps.de (8.9.3/8.9.3) id OAA00816 for freebsd-security@FreeBSD.ORG; Wed, 20 Dec 2000 14:06:35 +0100 (CET) (envelope-from petros) From: Peter Ross Message-Id: <200012201306.OAA00816@pps.de> Subject: Re: FTP and firewall In-Reply-To: <200012191138.MAA26842@jung9.pps.de> from Peter Ross at "Dec 19, 2000 12:38:58 pm" To: freebsd-security@FreeBSD.ORG Date: Wed, 20 Dec 2000 14:06:34 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'm listen here and hope for answers. Sorry for my English. My girlfriend did some remarks.. I found these mails discussing the same problem: ( http://docs.freebsd.org/mail/archive/2000/freebsd-security/20000402.freebsd-security.html ) Paul Hart wrote: > On Wed, 29 Mar 2000, Alan Batie wrote: > > > To do active mode ftp properly, ipfw would need to parse the contents > > of the packets on the ftp control channel and dynamically allow the > > corresponding incoming connection. There's no indication that this > > parsing capability is present. > > I know we're talking about IPFW here, but hasn't IP Filter (also included > with FreeBSD) been supporting this very operation for quite a while now? I checked the man page again but I can't see it. And Fernando Schapachnik wrote: > What I have done is to configure FTPd to use ports between 40000 and > 44999 (wu-ftpd allows it to be done easily; don't know others) and then: > allow tcp from any to my_ip 40000-44999 in setup > It's not the best, but still better than nothing. But what's the best? Peter Ross To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message