Date: Tue, 17 Jun 2003 09:54:17 -0400 From: "FBSD_User" <FBSD_User@a1poweruser.com> To: "Bill Moran" <wmoran@potentialtech.com>, "Andrew Thomson" <ajthomson@optushome.com.au> Cc: freebsd-questions@freebsd.org Subject: RE: restrictive ipfw ruleset and ftp Message-ID: <MIEPLLIBMLEEABPDBIEGEEIPDPAA.FBSD_User@a1poweruser.com> In-Reply-To: <20030617060826-165600041>
next in thread | previous in thread | raw e-mail | index | archive | help
Read man info carefully. The fw_punch IPFW command opens up more things than just FTP. There is no way just to active FTP part. The other things become a security problem. The fw_punch command is a very poorly designed command and should have never been allowed into IPFW as it currently is. User be ware. Best solution is to make and publish to all users of your environment that passive FTP is only FTP method allowed to be used per security, and be done with it. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Bill Moran Sent: Tuesday, June 17, 2003 9:08 AM To: Andrew Thomson Cc: freebsd-questions@freebsd.org Subject: Re: restrictive ipfw ruleset and ftp Andrew Thomson wrote: > any suggestions would be great. > > i have a restrictive ipfw ruleset that works great.. it only allows > incoming connections that i allow and outgoing connections allow. i have > a list of ports that i let my users go out on: 80, 22, 143, 443 etc > etc.. > > All the stuff they might need to do. > > how can i handle passive ftp though? > > i can let 21 out, but when the remote ftp server says use this x high > port.. i block that because it's not in my list. so what can i do to get > around this.. > > not totally familiar with it, but is this what fw_punch is for within > nat?? That's what it's designed for. I've never used it so I can't verify how well it works. -- Bill Moran Potential Technologies http://www.potentialtech.com _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEIPDPAA.FBSD_User>