From owner-freebsd-pf@FreeBSD.ORG Fri May 18 08:57:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9D68616A401 for ; Fri, 18 May 2007 08:57:12 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 5FABE13C457 for ; Fri, 18 May 2007 08:57:11 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d72.q.ppp-pool.de [89.53.125.114]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 0184D128829 for ; Fri, 18 May 2007 10:57:04 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 8553F3F4E8; Fri, 18 May 2007 10:56:40 +0200 (CEST) Message-ID: <464D6A47.10706@vwsoft.com> Date: Fri, 18 May 2007 10:56:39 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: dmehler26@woh.rr.com X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: ftp, pf, passive ftp and fetch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 08:57:12 -0000 > I'm trying to get ftp working from behind a pf firewall. I'm using pftpx > on FreeBSD 6.2 for this. I believe i have passive working, one of my windows > boxes goes passive and dies on active. I've got three questions. First, > portupgrade uses fetch for retrieval correct, if so i want it to use the -p > (passive option) by default whenever it tries an ftp url. Second, ncftp i'd > like to specify that it should use passive mode connections by default as > well. Last, is active or passive ftp better in terms of security strictly > from a firewall perspective, i know the protocol isn't secure? If active ftp > is better than passive does anyone have a ruleset with it? I'm using a block > by default ruleset. Dave, Greg already gave you some good answers, which I will not repeat. The question about passive / active being more secure is non-sense. I'm still using ftp-proxy and I think it should be easily (and clever) possible to drive active ftp through pf. As ftp-proxy is running as user 'proxy', I'm using a rule similar like: pass in log quick on $ext_if from any to ($ext_if) user "proxy" flags "S/SA" keep state in my ruleset (just made it that way last week). I still haven't checked active ftp out but I think this will also work for active ftp connections. You just need to also pass traffic in on $int_if for port 8021 (or whatever port your ftp proxy is listening on) and traffic out on $ext_if to port 21. HTH Volker