Date: Tue, 13 Mar 2001 12:51:39 +1100 From: Tony Landells <ahl@austclear.com.au> To: David Kelly <dkelly@hiwaay.net> Cc: "Magdalinin Kirill" <bsdforumen@hotmail.com>, kstewart@urx.com, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <200103130151.MAA15026@tungsten.austclear.com.au> In-Reply-To: Message from David Kelly <dkelly@hiwaay.net> of "Mon, 12 Mar 2001 18:58:13 MDT." <200103130058.f2D0wDe06731@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
dkelly@hiwaay.net said: > If things are to be opened that wide, then what is the point in > running ipfw at all? No reply expected as this is more of a > rhetorical question. Everybody knows FTP is a crock, and this is why. > This is an example of where the expensive commercial firewalls shine > as a good one is smart enough to know ftp and see the exchange > specifying the expected incoming ftp data connection to open it for > the duration and close on completion. Seems like something that would > be very doable in ipfirewall with a small simple helper application. > Suspect that is exactly what the authors had in mind with > ipfirewall(4) and #include <netinet/ip_fw.h> The other option is to have something in ipfw similar to the "keep state" stuff but where you can can specify a template for the dynamic rules using variables to refer to the source and destination IPs (and maybe port numbers). Tony -- Tony Landells <ahl@austclear.com.au> Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103130151.MAA15026>