Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Oct 2001 14:51:58 +0200
From:      "Patrick O'Reilly" <patrick@mip.co.za>
To:        "FreeBSD Question List" <freebsd-questions@freebsd.org>
Subject:   ipfw rules for FTP - passive vs. active
Message-ID:  <NDBBIMKICMDGDMNOOCAIKECNDMAA.patrick@mip.co.za>
next in thread | raw e-mail | index | archive | help 
FTP - the firewalling bane of my life! :)

Please bear with me - if you are clued on ipfw and FTP - I need some advice.

In the past I have always set my firewalls to permit public access to my FTP
servers as follows:

<firewall script snippet>
ipfw add 1 allow tcp from any to any established
ipfw add 2 allow tcp from any to ${ftp_ip} 21 setup
ipfw add 3 allow tcp from ${ftp_ip} 20 to any setup
</firewall script snippet>

This works fine for clients on the 'net who make "active" (NOT passive) FTP
connections to my FTP server.

Recently I am finding that many FTP clients are behind firewalls themselves,
and these do not allow the incoming ftp-data connection from my FTP server
to their clients.  So, I can support passive connections like so:

<firewall script snippet>
ipfw add 1 allow tcp from any to any established
ipfw add 2 allow tcp from any to ${ftp_ip} setup
</firewall script snippet>

Now, this seems to me like it is far too lax as far as firewalling goes.  I
need to allow external clients to connect to ANY port on the FTP server so
that they can establish the passive ftp-data connection on the randomly
selected port number.  Yech! :(

So, my question at last:  Is there a way for me to build ipfw rules to
support both passive and active FTP data modes, but without leaving such a
huge gaping hole through the firewall?

I must point out that I have never got around to understanding the
capabilities of ipfw's stateful rules.  If therein lies the solution then
just a gentle prod with the clue stick would be much appreciated.

Thanks in advance,
Patrick O'Reilly.
-----------------
Disk Space - the final frontier...



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIKECNDMAA.patrick>