Date: Mon, 12 Mar 2001 18:58:13 -0600 From: David Kelly <dkelly@hiwaay.net> To: "Magdalinin Kirill" <bsdforumen@hotmail.com> Cc: kstewart@urx.com, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <200103130058.f2D0wDe06731@grumpy.dyndns.org> In-Reply-To: Message from "Magdalinin Kirill" <bsdforumen@hotmail.com> of "Mon, 12 Mar 2001 14:15:21 %2B0300." <F293P2tb3OrLz69wVn300005c8f@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Magdalinin Kirill" writes:
> Thanks, Kent. I added
>
> # This is for passive mode connections
> ${fwcmd} add pass tcp from any 1024-65535 to ${ip} 49152-65535 setup
>
> to the rule set and it seems to work fine. Actually, 1024-65535
> can be trimed because ftp clients tend to use ports from 34???
> to ????? for passive mode connections. But I am short on time
> to find out the actual range.
If things are to be opened that wide, then what is the point in running
ipfw at all? No reply expected as this is more of a rhetorical question.
This is an example of where the expensive commercial firewalls shine as
a good one is smart enough to know ftp and see the exchange specifying
the expected incoming ftp data connection to open it for the duration
and close on completion. Seems like something that would be very doable
in ipfirewall with a small simple helper application. Suspect that is
exactly what the authors had in mind with ipfirewall(4) and
#include <netinet/ip_fw.h>
--
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103130058.f2D0wDe06731>