Skip site navigation (1)Skip section navigation (2)
Date:      12 Apr 2001 16:57:46 -0500
From:      Kirk Strauser <>
Subject:   Re: Beating a dead horse - ipfw and FTP
Message-ID:  <87bsq1hjc5.fsf@pooh.honeypot>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

At 2001-04-12T19:16:23Z, Luigi Rizzo <> writes:

> we have stateful ipfw and passive ftp -- the combination of the two should
> give you the protection that you want.  Am i wrong ?

Unfortunately, yes.  The annoying part is that there is no way to tell what
port the FTP server will want you to connect to ahead of time:

  1.  Connect from client to server port 21
  2.  Ask the server what port to connect to for data transmission
  3.  Connect from client port 20 to the specified port on the server

The old style was even worse:

  1.  Connect from client to server port 21
  2.  Connect from server to client port 20

So, there's no way to know what port to open (for step 3 of the first
listing) in advance.
Kirk Strauser

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>