Date: Wed, 21 Jun 2000 14:52:55 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Jennifer Ulrich <pixie_styxx@hotmail.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: allowing passive ftp through ipfw Message-ID: <20000621145255.I214@dialin-client.earthlink.net> In-Reply-To: <20000621205009.74341.qmail@hotmail.com>; from pixie_styxx@hotmail.com on Wed, Jun 21, 2000 at 04:50:09PM -0400 References: <20000621205009.74341.qmail@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 21, 2000 at 04:50:09PM -0400, Jennifer Ulrich wrote: > Hello all! > > I have a FreeBSD 3.4 box which runs ipfw, that is firewalling for a publicly > reachable lan of servers, including FTP servers. When I set up the machine, > I made the FTP servers reachable by adding a rule for: > > ipfw add 1400 pass all from x.x.x.x/x to any > ipfw add 2300 pass tcp from any to x.x.x.x 21 > (x.x.x.x 21 being the address of the ftp server and a default rule allowing > anything from my internal lan out through the firewall) > > I initially had some problems with clients on the lan not being able to > establish FTP connections outbound, so I added this rule : > > ipfw 2300 pass tcp from any to x.x.x.x/x established [snip] > So how do I get passive FTP to work? I certainly would rather not punch a > hole in the firewall to allow all traffic destined to the higher ports > through to my FTP server. Having a rule like, ipfw add 2350 pass tcp from any 20 to x.x.x.x port_high1-port_high2 Is not really too much of a risk (I don't remember what the range of valid ports is). Make sure you don't have anything you are not comfortable with listening in that range. The rule to allow the initial ftp connection is much, much more risky than the above. > Is there another way to do accomplish this that is > a bit more secure? Actually, this would be a good place for keep-state to work. I'm kinda surprised that no one has added a keep-state method for FTP. It'd just be, ipfw add 2350 pass tcp from any to x.x.x.x 21 setup keep-state ftp Right? Creating a dynamic rule that passes traffic from 20 to x.x.x.x. From how I understand keep-state to work (and it is minimal, sorry), it should not be too difficult to do? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000621145255.I214>