From owner-freebsd-questions@FreeBSD.ORG Tue Jun 17 06:54:20 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67E3237B401 for ; Tue, 17 Jun 2003 06:54:20 -0700 (PDT) Received: from smtp.a1poweruser.com (oh-chardon6a-49.clvhoh.adelphia.net [68.169.105.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6688943FBF for ; Tue, 17 Jun 2003 06:54:19 -0700 (PDT) (envelope-from FBSD_User@a1poweruser.com) Received: from barbish (lanwin2 [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with ESMTP id 9033131; Tue, 17 Jun 2003 10:05:37 -0400 (EDT) From: "FBSD_User" To: "Bill Moran" , "Andrew Thomson" Date: Tue, 17 Jun 2003 09:54:17 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20030617060826-165600041> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-questions@freebsd.org Subject: RE: restrictive ipfw ruleset and ftp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: FBSD_User@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2003 13:54:20 -0000 Read man info carefully. The fw_punch IPFW command opens up more things than just FTP. There is no way just to active FTP part. The other things become a security problem. The fw_punch command is a very poorly designed command and should have never been allowed into IPFW as it currently is. User be ware. Best solution is to make and publish to all users of your environment that passive FTP is only FTP method allowed to be used per security, and be done with it. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Bill Moran Sent: Tuesday, June 17, 2003 9:08 AM To: Andrew Thomson Cc: freebsd-questions@freebsd.org Subject: Re: restrictive ipfw ruleset and ftp Andrew Thomson wrote: > any suggestions would be great. > > i have a restrictive ipfw ruleset that works great.. it only allows > incoming connections that i allow and outgoing connections allow. i have > a list of ports that i let my users go out on: 80, 22, 143, 443 etc > etc.. > > All the stuff they might need to do. > > how can i handle passive ftp though? > > i can let 21 out, but when the remote ftp server says use this x high > port.. i block that because it's not in my list. so what can i do to get > around this.. > > not totally familiar with it, but is this what fw_punch is for within > nat?? That's what it's designed for. I've never used it so I can't verify how well it works. -- Bill Moran Potential Technologies http://www.potentialtech.com _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"