Date: Tue, 13 Mar 2001 05:16:51 -0600 From: Mike Meyer <mwm@mired.org> To: kstewart@urx.com Cc: questions@freebsd.org Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <15022.419.822278.16815@guru.mired.org> In-Reply-To: <3AADFF6C.8849BF47@urx.com> References: <15021.59314.727992.628569@guru.mired.org> <3AADFF6C.8849BF47@urx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kent Stewart <kstewart@urx.com> types: > Mike Meyer wrote: > > Kent Stewart <kstewart@urx.com> types: > > > If you have a pasiv ftpd setup, how do you control what port something > > > like a windows ftp client can use with ipfw. The range I am seeing is > > > way beyond what is suggested and you know that people are going to > > > blame the FreeBSD ftp server when they get the terrible response that > > > produces. > > You don't need to control what port the client uses for passive FTP, > > you need to control what port the server uses. > Is there a way to do that. what I am seeing is ports from the low 30K > to mid 50's. The problem of couse is that when you prevent a range > that it tries to use. It seems like it takes for ever to respond. > Eventually it worked but some of those files that I used for a test I > could have typed in faster. They weren't very big of course :). Well, you have the source to the ftp server, so you can just use that. Bit it sounds like you have things working about as well as you'd want them to now. > > With passive FTP, the client sends a request to the server asking for > > data, and the SERVER tells the client what port to get it from. The > > client opens the second connection to the server and gets the > > data. This goes through firewalls around the client just fine, which > > is why it became popular in the early 90s. > > I have the O'Reilly Firewall book. That has a bunch of numbers and > diagrams that at first didn't make sense because I couldn't relate the > diagrams to the rules. Then I came across Zeigler's Linux Firewalls > where he generated input for ipchains. The equivalent ipfw was almost > trivial. At any rate, a combination of both turned on the recognition > light. You could see the data being logged on both ends and see the > coarse handshaking that goes on. Chapman and Zwicky suffers from being a how to, but not knowing what platform you're going to be working on. So they give you the tables and diagrams, and you sort of have to figure it out. Once the light comes on (seeing it done on one system will usually do it), it's pretty straightforward to transfer all those tables and diagrams to any platform. I was fortunate enough to be have Brent (Chapman) explain the greatcircle firewall to me, after which it was pretty much obvious. Brent's firewall was a small personal lan - a couple of desktop macs, a couple of desktop Unix boxes, and a couple of routers with servers in the DMZ. *That* "home office LAN" needed that kind of protection. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15022.419.822278.16815>