Date: Wed, 17 Oct 2001 21:11:03 +0200 From: "Dave Raven" <dave@reason.za.org> To: "Weldon S Godfrey 3" <weldon@excelsus.com>, <freebsd-questions@FreeBSD.org> Subject: Re: Squid/IPNat FTP. Message-ID: <006c01c1573f$7bf51520$3400a8c0@DAVE> References: <20011017134106.O59186-100000@joule.excelsus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes quite. That explains it all actually. As is says opening ASCII mode (or whatever) it stalls, as if its been suddenly blocked. Thanks all, You've been most helpfull. ----- Original Message ----- From: "Weldon S Godfrey 3" <weldon@excelsus.com> To: "feenikz" <demi@god.za.net> Sent: Wednesday, October 17, 2001 7:47 PM Subject: Re: Squid/IPNat FTP. > > I am not too familar with ipfilter, i am more familar with ipfw. > > But, the usual problem is that, even if you have an "established" rule for > any connection. That will only catch the port the ftp connection was > inititaed on (which is port 21). When someone starts a transfer (which > even an "ls" is considered an ACSII file transfer in ftpland, it sends the > data back on port 20 (ftp-data). Since this not the port which the > connection was established on, the data gets dropped at the firewall. > > In the pass, I have opened port 20 to allow any 20 to come in. This can > have drawbacks if someone on the internal lan has placed something evil at > that port and therefore creates a possible hole to get into the LAN. > Although typically, leaving port 20 open isn't too bad since no computer > on your network should be expecting a connection on port 20 except an ftp > client. > > The best way to solve your problem is to setup an ftp proxy on your > firewall box and have people proxy through that. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006c01c1573f$7bf51520$3400a8c0>