Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 Dec 2002 16:42:11 -0500
From:      "Peter Brezny" <peter@skyrunner.net>
To:        "Orville R. Weyrich_Jr" <orville@ameriroots.com>
Cc:        <freebsd-net@freebsd.org>
Subject:   RE: passive mode ftp server, need stateful ipfw rule.
Message-ID:  <NEBBIGLHNDFEJMMIEGOOIELGFEAA.peter@skyrunner.net>
In-Reply-To: <20021209145439.L45560-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 

Yes but then you run into:
   DYNAMIC RULES
     In order to protect a site from flood attacks involving fake TCP
packets,
     it is safer to use dynamic rules:

           ipfw add check-state
           ipfw add deny tcp from any to any established

And also, if you've got an:
add allow all from any to any established

arn't you sort of setting yourself up.  Couldn't someone establish a valid
connection to a valid port, then, have a field day?

TIA

Peter Brezny
Skyrunner.net


-----Original Message-----
From: Orville R. Weyrich_Jr [mailto:orville@ameriroots.com]
Sent: Monday, December 09, 2002 4:55 PM
To: Peter Brezny
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: passive mode ftp server, need stateful ipfw rule.


Isn't that what ESTABLISHED is used for?

On Mon, 9 Dec 2002, Peter Brezny wrote:

> Is it possible to create an ipfw ruleset for an ftp server in passive mode
> that figures out which random port the ftp server is going to open to only
> allow the client that initiated the connection to connect to that port?
>
>
> Since the client initiates it's data connection from a random port to the
> new random data port on the passive mode server, i've so far not been able
> to come up with decent firewall rules to protect this type of system.
>
> TIA,
>
>
> Peter Brezny
> Skyrunner.net
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
>

----------------------------------------------------------------------------
---
Orville R. Weyrich, Jr PhD.         KD7HJV
mailto:orville@weyrich.com
----------------------------------------------------------------------------
---



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBIGLHNDFEJMMIEGOOIELGFEAA.peter>