From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 17 05:36:57 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7B05437B401
	for <freebsd-questions@freebsd.org>;
	Tue, 17 Jun 2003 05:36:57 -0700 (PDT)
Received: from perimeter.co.za (obelix.perimeter.co.za [209.212.102.154])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CF93D43FB1
	for <freebsd-questions@freebsd.org>;
	Tue, 17 Jun 2003 05:36:54 -0700 (PDT)
	(envelope-from bsd@perimeter.co.za)
Received: from localhost (localhost [127.0.0.1])
  (uid 9999)
  by perimeter.co.za with local; Tue, 17 Jun 2003 14:36:51 +0200
References: <20030617121346.GA80594@athomson.prv.au.itouchnet.net>
In-Reply-To: <20030617121346.GA80594@athomson.prv.au.itouchnet.net> 
From: bsd@perimeter.co.za
To: Andrew Thomson <ajthomson@optushome.com.au>
Date: Tue, 17 Jun 2003 14:36:51 +0200
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <courier.3EEF0B63.0000E8D2@perimeter.co.za>
cc: freebsd-questions@freebsd.org
Subject: Re: restrictive ipfw ruleset and ftp
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2003 12:36:57 -0000

Andrew Thomson writes: 

> any suggestions would be great. 
> 
> i have a restrictive ipfw ruleset that works great.. it only allows
> incoming connections that i allow and outgoing connections allow. i have
> a list of ports that i let my users go out on: 80, 22, 143, 443 etc
> etc.. 
> 
> All the stuff they might need to do. 
> 
> how can i handle passive ftp though? 
> 
> i can let 21 out, but when the remote ftp server says use this x high
> port.. i block that because it's not in my list. so what can i do to get
> around this. 
> 
> not totally familiar with it, but is this what fw_punch is for within
> nat?? 
> 

Personally, I have a pair of rules something similar to the following: 

ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535 
setup in via ${iif}
ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535 
setup out via ${oif} 

This is quite wide, but ensures that only outbound connections on the high 
port numbers are permitted, both on the source and the destination ends of 
the connection. 

Perhaps some real experts will give you a more definitive answer... 

Patrick.