From owner-freebsd-questions Mon Mar 12 17:51:50 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 6A64A37B719 for ; Mon, 12 Mar 2001 17:51:41 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id MAA90237; Tue, 13 Mar 2001 12:51:40 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id MAA15026; Tue, 13 Mar 2001 12:51:40 +1100 (EST) Message-Id: <200103130151.MAA15026@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: David Kelly Cc: "Magdalinin Kirill" , kstewart@urx.com, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules for incoming passive mode ftp connections In-Reply-To: Message from David Kelly of "Mon, 12 Mar 2001 18:58:13 MDT." <200103130058.f2D0wDe06731@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 13 Mar 2001 12:51:39 +1100 From: Tony Landells Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG dkelly@hiwaay.net said: > If things are to be opened that wide, then what is the point in > running ipfw at all? No reply expected as this is more of a > rhetorical question. Everybody knows FTP is a crock, and this is why. > This is an example of where the expensive commercial firewalls shine > as a good one is smart enough to know ftp and see the exchange > specifying the expected incoming ftp data connection to open it for > the duration and close on completion. Seems like something that would > be very doable in ipfirewall with a small simple helper application. > Suspect that is exactly what the authors had in mind with > ipfirewall(4) and #include The other option is to have something in ipfw similar to the "keep state" stuff but where you can can specify a template for the dynamic rules using variables to refer to the source and destination IPs (and maybe port numbers). Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message