Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 May 2007 08:04:43 +0100
From:      "Greg Hennessy" <Greg.Hennessy@nviz.net>
To:        "'Dave'" <dmehler26@woh.rr.com>, <freebsd-pf@freebsd.org>
Subject:   RE: ftp, pf, passive ftp and fetch
Message-ID:  <000d01c7991a$cff492e0$6fddb8a0$@Hennessy@nviz.net>
In-Reply-To: <000301c798e6$d51bfdf0$0200a8c0@satellite>
References:  <000301c798e6$d51bfdf0$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Hi,
>     I'm trying to get ftp working from behind a pf firewall. I'm using
> pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of my
> windows boxes goes passive and dies on active. 

Command line FTP client in windows is active only. 

> I've got three questions. First,
> portupgrade uses fetch for retrieval correct, if so i want it to use
> the -p (passive option) by default whenever it tries an ftp url. 

gw2:~ # set | grep -i ftp
FTP_PASSIVE_MODE=1

> Second, ncftp i'd like to specify that it should use passive mode
connections 
> by default as well. 

gw2:~ # grep -i passive .ncftp/prefs_v3
passive=on


> Last, is active or passive ftp better in terms of security
> strictly from a firewall perspective, i know the protocol isn't secure? 

Passive is less of a PITA, (that's not saying much). 
One doesn't have to handle ingress traffic initiated from the server. 

However one either has to leave high ports open or use a L7 proxy to
dynamically open 
the firewall for each request, hence pftpx. 

> If active ftp is better than passive does anyone have a ruleset with it? 
> I'm using a  block by default ruleset.

I haven't used active FTP for years TBH. I have had serious arguments with
vendors and suppliers who tried to insist on its use through environments I
have had responsibility for. 



Greg




> Thanks.
> Dave.
> 
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01c7991a$cff492e0$6fddb8a0$>