Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 May 2001 18:18:59 +0200 (CEST)
From:      Paul Herman <pherman@frenchfries.net>
To:        Artem Koutchine <matrix@ipform.ru>
Cc:        Mike Meyer <mwm@mired.org>, <questions@FreeBSD.ORG>
Subject:   Re: Allow rules for ipfw for active ftp
Message-ID:  <Pine.BSF.4.33.0105121810530.11676-100000@husten.security.at12.de>
In-Reply-To: <006001c0daeb$a7ed7260$0c00a8c0@ipform.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 12 May 2001, Artem Koutchine wrote:

> > I've used the '-punch_fw' option to natd(8) with relatively good
> > results.
>
> The client is behind the firewall. The server is open wide. Server
> want to connect from arbitrary port to clients arbitrary port.
> There is no way firewall could know that this connection is
> related to the already established ftp command connection. So, how
> does -punch_fw help?

That's exactly what it does.  When "natd -punch_fw" is running on the
client's firewall, it sees the FTP "PORT" commands and dynamically
inserts a rule into the firewall which allows the server to connect to
the client.

I set this up once because I was running check-state rules, which of
course would allow passive mode, but the users wanted active mode as
well.

-Paul.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0105121810530.11676-100000>