From owner-freebsd-pf@FreeBSD.ORG Fri May 18 07:04:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF0AC16A401 for ; Fri, 18 May 2007 07:04:46 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 96B2B13C447 for ; Fri, 18 May 2007 07:04:46 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 4F11057457 for ; Fri, 18 May 2007 08:04:44 +0100 (BST) From: "Greg Hennessy" To: "'Dave'" , References: <000301c798e6$d51bfdf0$0200a8c0@satellite> In-Reply-To: <000301c798e6$d51bfdf0$0200a8c0@satellite> Date: Fri, 18 May 2007 08:04:43 +0100 Message-ID: <000d01c7991a$cff492e0$6fddb8a0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AceY5/zUQqM+kI6WQr++aaFA4lJEjAAMXpzA Content-Language: en-gb X-Antivirus: avast! (VPS 000741-0, 17/05/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: ftp, pf, passive ftp and fetch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 07:04:46 -0000 > Hi, > I'm trying to get ftp working from behind a pf firewall. I'm using > pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of my > windows boxes goes passive and dies on active. Command line FTP client in windows is active only. > I've got three questions. First, > portupgrade uses fetch for retrieval correct, if so i want it to use > the -p (passive option) by default whenever it tries an ftp url. gw2:~ # set | grep -i ftp FTP_PASSIVE_MODE=1 > Second, ncftp i'd like to specify that it should use passive mode connections > by default as well. gw2:~ # grep -i passive .ncftp/prefs_v3 passive=on > Last, is active or passive ftp better in terms of security > strictly from a firewall perspective, i know the protocol isn't secure? Passive is less of a PITA, (that's not saying much). One doesn't have to handle ingress traffic initiated from the server. However one either has to leave high ports open or use a L7 proxy to dynamically open the firewall for each request, hence pftpx. > If active ftp is better than passive does anyone have a ruleset with it? > I'm using a block by default ruleset. I haven't used active FTP for years TBH. I have had serious arguments with vendors and suppliers who tried to insist on its use through environments I have had responsibility for. Greg > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"