From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 19 11:02:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7195C16A4B3 for ; Sun, 19 Oct 2003 11:02:09 -0700 (PDT) Received: from lug.org.uk (xinit.lug.org.uk [195.92.253.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76AFF43F3F for ; Sun, 19 Oct 2003 11:02:08 -0700 (PDT) (envelope-from andy@strugglers.net) Received: from andy by lug.org.uk with local (Exim 3.33 #2) id 1ABHsV-0008GM-00 for freebsd-ipfw@freebsd.org; Sun, 19 Oct 2003 19:02:07 +0100 Date: Sun, 19 Oct 2003 19:02:07 +0100 From: Andy Smith To: freebsd-ipfw@freebsd.org Message-ID: <20031019180206.GL24304@lug.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Uptime: 300 days X-URL: http://www.strugglers.net/~andy/ X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i Subject: active FTP, ipfw and dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Oct 2003 18:02:09 -0000 Hi guys, apologies if this has been discussed before but a couple of us have been googling and reading man pages for a few hours now and can't seem to work this one out. If you've got a machine with IPFW2 and users on it want to use active FTP, is this possible without doing something like: ipfw add allow tcp from any 20 to any 1024-65534 ?? What I'm trying to duplicate is the functionality of linux iptables where you would just add something like.. $IPTABLES -A INPUT -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT and then everything like active FTP would just work. We don't quite understand how that can be done with ipfw's keep-state and would appreciate any tips you can offer. And yes I know that FTP sucks, and that passive FTP can be made to work, it is just annoying that I cna work this out so easily with iptables but not with ipfw. Thanks!