From owner-freebsd-questions Mon Mar 12 19:59:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from level3.dynacom.net (level3.dynacom.net [206.107.213.213]) by hub.freebsd.org (Postfix) with SMTP id 571A737B71B for ; Mon, 12 Mar 2001 19:59:43 -0800 (PST) (envelope-from kstewart@urx.com) Received: (qmail 8658 invoked by uid 0); 13 Mar 2001 03:59:42 -0000 Received: from unknown (HELO urx.com) (206.159.132.160) by mail.urx.com with SMTP; 13 Mar 2001 03:59:42 -0000 Message-ID: <3AAD9B2E.E755010B@urx.com> Date: Mon, 12 Mar 2001 19:59:42 -0800 From: Kent Stewart Reply-To: kstewart@urx.com Organization: Dynacom X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: David Kelly Cc: Tony Landells , Magdalinin Kirill , freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules for incoming passive mode ftp connections References: <200103130349.f2D3nLe08422@grumpy.dyndns.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG David Kelly wrote: > > Tony Landells writes: > > dkelly@hiwaay.net said: > > > This is an example of where the expensive commercial firewalls shine > > > as a good one is smart enough to know ftp and see the exchange > > > specifying the expected incoming ftp data connection to open it for > > > the duration and close on completion. Seems like something that would > > > be very doable in ipfirewall with a small simple helper application. > > > Suspect that is exactly what the authors had in mind with > > > ipfirewall(4) and #include > > > > The other option is to have something in ipfw similar to the > > "keep state" stuff but where you can can specify a template for > > the dynamic rules using variables to refer to the source and > > destination IPs (and maybe port numbers). > > That's along the lines of what I was thinking. The problem is "incoming > passive ftp". So ftpd has just told the remote client what port to > connect back for the data? If ftpd is running as root then it could > insert a dynamic state rule into ipfirewall which would disappear when > the connection is dropped. > > Rather than hack on ftpd one could write a daemon to watch all outgoing > traffic on port 21 (divert sockets?) and insert the dynamic rule based > on the observed ftp exchange. This solution would work for an ipfw > gateway where the ftp server was not on the same host. If you have a pasiv ftpd setup, how do you control what port something like a windows ftp client can use with ipfw. The range I am seeing is way beyond what is suggested and you know that people are going to blame the FreeBSD ftp server when they get the terrible response that produces. Kent > > -- > David Kelly N4HHE, dkelly@hiwaay.net > ===================================================================== > The human mind ordinarily operates at only ten percent of its > capacity -- the rest is overhead for the operating system. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message