From owner-freebsd-questions Mon Mar 12 16:58:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-76-236.knology.net [24.214.76.236]) by hub.freebsd.org (Postfix) with ESMTP id B207B37B719 for ; Mon, 12 Mar 2001 16:58:46 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.2/8.11.2) with ESMTP id f2D0wDe06731; Mon, 12 Mar 2001 18:58:13 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200103130058.f2D0wDe06731@grumpy.dyndns.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Magdalinin Kirill" Cc: kstewart@urx.com, freebsd-questions@FreeBSD.ORG From: David Kelly Subject: Re: ipfw rules for incoming passive mode ftp connections In-reply-to: Message from "Magdalinin Kirill" of "Mon, 12 Mar 2001 14:15:21 +0300." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 12 Mar 2001 18:58:13 -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Magdalinin Kirill" writes: > Thanks, Kent. I added > > # This is for passive mode connections > ${fwcmd} add pass tcp from any 1024-65535 to ${ip} 49152-65535 setup > > to the rule set and it seems to work fine. Actually, 1024-65535 > can be trimed because ftp clients tend to use ports from 34??? > to ????? for passive mode connections. But I am short on time > to find out the actual range. If things are to be opened that wide, then what is the point in running ipfw at all? No reply expected as this is more of a rhetorical question. This is an example of where the expensive commercial firewalls shine as a good one is smart enough to know ftp and see the exchange specifying the expected incoming ftp data connection to open it for the duration and close on completion. Seems like something that would be very doable in ipfirewall with a small simple helper application. Suspect that is exactly what the authors had in mind with ipfirewall(4) and #include -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message