Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 17 Jun 2003 14:36:51 +0200
From:      bsd@perimeter.co.za
To:        Andrew Thomson <ajthomson@optushome.com.au>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: restrictive ipfw ruleset and ftp
Message-ID:  <courier.3EEF0B63.0000E8D2@perimeter.co.za>
In-Reply-To: <20030617121346.GA80594@athomson.prv.au.itouchnet.net> 
References:  <20030617121346.GA80594@athomson.prv.au.itouchnet.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Andrew Thomson writes: 

> any suggestions would be great. 
> 
> i have a restrictive ipfw ruleset that works great.. it only allows
> incoming connections that i allow and outgoing connections allow. i have
> a list of ports that i let my users go out on: 80, 22, 143, 443 etc
> etc.. 
> 
> All the stuff they might need to do. 
> 
> how can i handle passive ftp though? 
> 
> i can let 21 out, but when the remote ftp server says use this x high
> port.. i block that because it's not in my list. so what can i do to get
> around this. 
> 
> not totally familiar with it, but is this what fw_punch is for within
> nat?? 
> 

Personally, I have a pair of rules something similar to the following: 

ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535 
setup in via ${iif}
ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535 
setup out via ${oif} 

This is quite wide, but ensures that only outbound connections on the high 
port numbers are permitted, both on the source and the destination ends of 
the connection. 

Perhaps some real experts will give you a more definitive answer... 

Patrick.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?courier.3EEF0B63.0000E8D2>