From owner-freebsd-ipfw Thu Apr 12 14:57:51 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id E86D237B443 for ; Thu, 12 Apr 2001 14:57:47 -0700 (PDT) (envelope-from kirk@honeypot.net) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.3/8.11.3) with ESMTP id f3CLvkE67047 for ; Thu, 12 Apr 2001 16:57:46 -0500 (CDT) (envelope-from kirk@honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 14np62-0000Hi-00 for ; Thu, 12 Apr 2001 16:57:46 -0500 To: freebsd-ipfw@freebsd.org Subject: Re: Beating a dead horse - ipfw and FTP References: <200104121916.VAA74511@info.iet.unipi.it> From: Kirk Strauser Date: 12 Apr 2001 16:57:46 -0500 In-Reply-To: <200104121916.VAA74511@info.iet.unipi.it> Message-ID: <87bsq1hjc5.fsf@pooh.honeypot> Lines: 22 X-Mailer: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 2001-04-12T19:16:23Z, Luigi Rizzo writes: > we have stateful ipfw and passive ftp -- the combination of the two should > give you the protection that you want. Am i wrong ? Unfortunately, yes. The annoying part is that there is no way to tell what port the FTP server will want you to connect to ahead of time: 1. Connect from client to server port 21 2. Ask the server what port to connect to for data transmission 3. Connect from client port 20 to the specified port on the server The old style was even worse: 1. Connect from client to server port 21 2. Connect from server to client port 20 So, there's no way to know what port to open (for step 3 of the first listing) in advance. -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message