From owner-freebsd-questions Mon Dec 24 18:24:18 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp3.knology.net (user-24-214-63-13.knology.net [24.214.63.13]) by hub.freebsd.org (Postfix) with SMTP id CB5E537B416 for ; Mon, 24 Dec 2001 18:24:12 -0800 (PST) Received: (qmail 21544 invoked from network); 25 Dec 2001 02:23:56 -0000 Received: from user-24-214-92-93.knology.net (HELO grumpy.dyndns.org) (24.214.92.93) by user-24-214-63-13.knology.net with SMTP; 25 Dec 2001 02:23:56 -0000 Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.6/8.11.6) with ESMTP id fBP2NjU37711; Mon, 24 Dec 2001 20:23:45 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200112250223.fBP2NjU37711@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Martin Schweizer Cc: freebsd-questions@FreeBSD.ORG From: David Kelly Subject: Re: ipfw & ftp In-reply-to: Message from Martin Schweizer of "Mon, 24 Dec 2001 09:51:43 +0100." <20011224095143.B318@spectraweb.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Mon, 24 Dec 2001 20:23:45 -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Martin Schweizer writes: > Hello Darryl > = > I attached you my rc.firewall. I found a solution with passive and acti= ve ftp The flip side of "passive ftp" is "non-passive ftp". Is not really ftp = that is being passive but its "ftp for passive firewalls who don't know = the ftp protocol." [...] > ipfw add allow tcp from any 20 to me 1024-49151 keep-state # aktives FT= P > ipfw add allow tcp from any 20 to 192.168.1.1/24 1024-49151 keep-state So all I have to do to probe you with impunity is to source my probes = from port 20. Looking at my ipfw logs your rule would let about 1 in 50 = probes past. But then again you are running ftpd and intend outside = connections to come in but the above firewall rule opens everything = else. For outgoing connections I have found the punch_fw option of natd works = perfectly for non-passive ftp but doesn't detect passive outgoing = connections. -- = David Kelly N4HHE, dkelly@hiwaay.net =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message