From owner-freebsd-ipfw Fri Nov 16 14:47:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id F053937B416 for ; Fri, 16 Nov 2001 14:47:30 -0800 (PST) Received: from dialup-209.245.137.44.dial1.sanjose1.level3.net ([209.245.137.44] helo=blossom.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 164rlh-0007kF-00; Fri, 16 Nov 2001 14:47:30 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAGMl2R54117; Fri, 16 Nov 2001 14:47:02 -0800 (PST) (envelope-from cjc) Date: Fri, 16 Nov 2001 14:47:02 -0800 From: "Crist J. Clark" To: Konstantin Cc: Chris Knight , freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful Rules and FTP Message-ID: <20011116144702.E50971@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <00bb01c16e78$37d102a0$020aa8c0@aims.private> <7526380550.20011116202407@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <7526380550.20011116202407@mail.ru>; from skif_dk@mail.ru on Fri, Nov 16, 2001 at 08:24:07PM +0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 16, 2001 at 08:24:07PM +0300, Konstantin wrote: > Friday, November 16, 2001, 11:25:13 AM, you wrote: > > CK> I'm running 4.4-stable on a box with 3 interfaces: ed0, ed1 and ed2. > CK> ed0 is the external interface. > CK> ed1 is the DMZ interface. > CK> ed2 is the internal interface. > > CK> I want a select group of machines in the DMZ to be able to FTP, and only > CK> FTP, to a machine on the internal network to retrieve an installation image > CK> and packages. I've found the only way I can get passive FTP going is with > CK> the following rule: > > CK> add pass tcp from to keep-state in recv ed1 setup > > Change this string for FTP > add pass tcp from to 21 keep-state in recv ed1 setup > add pass tcp from 20 to keep-state in recv ed1 setup I think you forgot to add that you need to switch to "active" FTP for these rules to work. But realize these rules open you up to other security issues. An FTP proxy would really be the way to go. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message