Date: Fri, 18 May 2007 10:56:39 +0200 From: Volker <volker@vwsoft.com> To: dmehler26@woh.rr.com Cc: freebsd-pf@freebsd.org Subject: Re: ftp, pf, passive ftp and fetch Message-ID: <464D6A47.10706@vwsoft.com>
next in thread | raw e-mail | index | archive | help
> I'm trying to get ftp working from behind a pf firewall. I'm using pftpx > on FreeBSD 6.2 for this. I believe i have passive working, one of my windows > boxes goes passive and dies on active. I've got three questions. First, > portupgrade uses fetch for retrieval correct, if so i want it to use the -p > (passive option) by default whenever it tries an ftp url. Second, ncftp i'd > like to specify that it should use passive mode connections by default as > well. Last, is active or passive ftp better in terms of security strictly > from a firewall perspective, i know the protocol isn't secure? If active ftp > is better than passive does anyone have a ruleset with it? I'm using a block > by default ruleset. Dave, Greg already gave you some good answers, which I will not repeat. The question about passive / active being more secure is non-sense. I'm still using ftp-proxy and I think it should be easily (and clever) possible to drive active ftp through pf. As ftp-proxy is running as user 'proxy', I'm using a rule similar like: pass in log quick on $ext_if from any to ($ext_if) user "proxy" flags "S/SA" keep state in my ruleset (just made it that way last week). I still haven't checked active ftp out but I think this will also work for active ftp connections. You just need to also pass traffic in on $int_if for port 8021 (or whatever port your ftp proxy is listening on) and traffic out on $ext_if to port 21. HTH Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?464D6A47.10706>