From owner-freebsd-net  Mon Dec  9 13:17:17 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A0D0E37B401
	for <freebsd-net@freebsd.org>; Mon,  9 Dec 2002 13:17:16 -0800 (PST)
Received: from mx1.purplecat.net (mx1.purplecat.net [208.133.44.46])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3EEE943EE5
	for <freebsd-net@freebsd.org>; Mon,  9 Dec 2002 13:17:12 -0800 (PST)
	(envelope-from peter@skyrunner.net)
Received: (qmail 65086 invoked from network); 9 Dec 2002 21:17:28 -0000
Received: from unknown (HELO micron) (208.150.25.130)
  by mx1.skyrunner.net with SMTP; 9 Dec 2002 21:17:28 -0000
From: "Peter Brezny" <peter@skyrunner.net>
To: <freebsd-net@freebsd.org>
Subject: passive mode ftp server, need stateful ipfw rule.
Date: Mon, 9 Dec 2002 16:16:40 -0500
Message-ID: <NEBBIGLHNDFEJMMIEGOOAELGFEAA.peter@skyrunner.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Is it possible to create an ipfw ruleset for an ftp server in passive mode
that figures out which random port the ftp server is going to open to only
allow the client that initiated the connection to connect to that port?


Since the client initiates it's data connection from a random port to the
new random data port on the passive mode server, i've so far not been able
to come up with decent firewall rules to protect this type of system.

TIA,


Peter Brezny
Skyrunner.net



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message