From owner-freebsd-stable Fri Jul 19 22:36:15 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B27A37B400 for ; Fri, 19 Jul 2002 22:36:13 -0700 (PDT) Received: from mail.lambertfam.org (www.lambertfam.org [216.223.196.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12C8743E58 for ; Fri, 19 Jul 2002 22:36:13 -0700 (PDT) (envelope-from lambert@lambertfam.org) Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost.inch.com (Postfix) with ESMTP id 1DE3D35169 for ; Sat, 20 Jul 2002 01:33:16 -0400 (EDT) Received: from laptop.lambertfam.org (unknown [10.1.0.2]) by mail.lambertfam.org (Postfix) with ESMTP id A62E535168 for ; Sat, 20 Jul 2002 01:33:09 -0400 (EDT) Received: by laptop.lambertfam.org (Postfix, from userid 1000) id 0F8A428B09; Sat, 20 Jul 2002 01:35:59 -0400 (EDT) Date: Sat, 20 Jul 2002 01:35:59 -0400 From: Scott Lambert To: freebsd-stable@FreeBSD.ORG Subject: Re: Enabling passive FTP on FreeBSD 4.5? Message-ID: <20020720053558.GA3487@laptop.lambertfam.org> Mail-Followup-To: freebsd-stable@FreeBSD.ORG References: <016701c22edb$fcc0e250$0600a8c0@P1200n> <3D37A0A7.6070809@quack.kfu.com> <20020719122614.O21507@staff.msen.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020719122614.O21507@staff.msen.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jul 19, 2002 at 12:26:14PM -0400, Michael R. Wayne wrote: > Having recently fought IPFW on this, and having a hard time finding > actual firewall rules to make FTP work right on a server that > provides FTP access to the world, here is what we ended up with > which appears to properly permit active and passive FTP. > > # FTP/ftp > $fwcmd add 12501 pass tcp from any to ${ip} 20 setup # FTP-data > $fwcmd add 12505 pass tcp from any to ${ip} 21 setup keep-state > $fwcmd add 12507 pass tcp from any to ${ip} 49152-65535 setup # Passive FTP > > Watching the logs, people are managing to successfully ftp regularly. > > Yes, it's a hole. No, we don't like that last rule as someone > could remotely spawn a shell on one of those ports. But we see no > way around it as ftp access is a required service for the machine. Doesn't ipf with ipnat have the ability to watch the FTP control channel and figure out when and what port to allow through for a passive FTP data channel? It's been a while since I looked at this so I could be smoking crack. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message