Date: Mon, 24 Dec 2001 20:23:45 -0600 From: David Kelly <dkelly@hiwaay.net> To: Martin Schweizer <info@pc-service.ch> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw & ftp Message-ID: <200112250223.fBP2NjU37711@grumpy.dyndns.org> In-Reply-To: Message from Martin Schweizer <pcservi@spectraweb.ch> of "Mon, 24 Dec 2001 09:51:43 %2B0100." <20011224095143.B318@spectraweb.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Martin Schweizer writes: > Hello Darryl > = > I attached you my rc.firewall. I found a solution with passive and acti= ve ftp The flip side of "passive ftp" is "non-passive ftp". Is not really ftp = that is being passive but its "ftp for passive firewalls who don't know = the ftp protocol." [...] > ipfw add allow tcp from any 20 to me 1024-49151 keep-state # aktives FT= P > ipfw add allow tcp from any 20 to 192.168.1.1/24 1024-49151 keep-state So all I have to do to probe you with impunity is to source my probes = from port 20. Looking at my ipfw logs your rule would let about 1 in 50 = probes past. But then again you are running ftpd and intend outside = connections to come in but the above firewall rule opens everything = else. For outgoing connections I have found the punch_fw option of natd works = perfectly for non-passive ftp but doesn't detect passive outgoing = connections. -- = David Kelly N4HHE, dkelly@hiwaay.net =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112250223.fBP2NjU37711>