From owner-freebsd-ipfw Thu Apr 12 15: 1:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 8CF5837B424 for ; Thu, 12 Apr 2001 15:01:55 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id AAA75489; Fri, 13 Apr 2001 00:00:40 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200104122200.AAA75489@info.iet.unipi.it> Subject: Re: Beating a dead horse - ipfw and FTP In-Reply-To: <87bsq1hjc5.fsf@pooh.honeypot> from Kirk Strauser at "Apr 12, 2001 04:57:46 pm" To: Kirk Strauser Date: Fri, 13 Apr 2001 00:00:40 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > At 2001-04-12T19:16:23Z, Luigi Rizzo writes: > > > we have stateful ipfw and passive ftp -- the combination of the two should > > give you the protection that you want. Am i wrong ? > > Unfortunately, yes. The annoying part is that there is no way to tell what > port the FTP server will want you to connect to ahead of time: > > 1. Connect from client to server port 21 > 2. Ask the server what port to connect to for data transmission > 3. Connect from client port 20 to the specified port on the server so set a dynamic rule on the server which lets in connections from port 20 on the client side. cheers luigi > The old style was even worse: > > 1. Connect from client to server port 21 > 2. Connect from server to client port 20 > > So, there's no way to know what port to open (for step 3 of the first > listing) in advance. > -- > Kirk Strauser > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message