Skip site navigation (1)Skip section navigation (2)
Date:      12 Apr 2001 14:13:14 -0500
From:      Kirk Strauser <>
Subject:   Beating a dead horse - ipfw and FTP
Message-ID:  <87puei53ud.fsf@pooh.honeypot>

Next in thread | Raw E-Mail | Index | Archive | Help
I've read a lot of the mailing list archives regarding ipfw and FTP.  The
basic consensus seems to be that FTP Is Bad and that it shouldn't be used.
OK, on a technical level, I agree.  Unfortunately, it's still somewhat hard
to get away from.  In particular, look at the FreeBSD ports system which
relies heavily on using FTP to fetch source tarballs - that alone is reason
enough for me to maintain usability for this antiquated protocol.  Add in
the fact that I have several user workstations that periodically fetch files
(darn those Debian users :) ) and I'm pretty well stuck.

So, has anyone agreed on a best-practices method of allowing outgoing FTP
connections through ipfw?  It seems like the ideal would be for someone to
add an FTP method to ipfw's keep-state mechanism, but that doesn't seem to
exist right now.  The next best solution, to me, would be an ipfw-aware FTP
proxy that can dynamically open and close ports.  Does such a thing exist?
If so, and there are more than one, are any of them recommended?

I'm thinking that a final last-ditch-effort solution would be to write a
two-part FTP proxy server so half of the server lives outside the firewall
and the other half is inside, and the two halves communicate via a secure
link.  This might actually be a Good Thing, but darned if I'd even know
where to begin such a project.
Kirk Strauser

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>