From owner-freebsd-questions Mon Mar 12 19:50: 3 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-76-236.knology.net [24.214.76.236]) by hub.freebsd.org (Postfix) with ESMTP id 3A3E937B71C for ; Mon, 12 Mar 2001 19:49:58 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.2/8.11.2) with ESMTP id f2D3nLe08422; Mon, 12 Mar 2001 21:49:21 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200103130349.f2D3nLe08422@grumpy.dyndns.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Tony Landells Cc: "Magdalinin Kirill" , kstewart@urx.com, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules for incoming passive mode ftp connections In-Reply-To: Message from Tony Landells of "Tue, 13 Mar 2001 12:51:39 +1100." <200103130151.MAA15026@tungsten.austclear.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 12 Mar 2001 21:49:21 -0600 From: David Kelly Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Tony Landells writes: > dkelly@hiwaay.net said: > > This is an example of where the expensive commercial firewalls shine > > as a good one is smart enough to know ftp and see the exchange > > specifying the expected incoming ftp data connection to open it for > > the duration and close on completion. Seems like something that would > > be very doable in ipfirewall with a small simple helper application. > > Suspect that is exactly what the authors had in mind with > > ipfirewall(4) and #include > > The other option is to have something in ipfw similar to the > "keep state" stuff but where you can can specify a template for > the dynamic rules using variables to refer to the source and > destination IPs (and maybe port numbers). That's along the lines of what I was thinking. The problem is "incoming passive ftp". So ftpd has just told the remote client what port to connect back for the data? If ftpd is running as root then it could insert a dynamic state rule into ipfirewall which would disappear when the connection is dropped. Rather than hack on ftpd one could write a daemon to watch all outgoing traffic on port 21 (divert sockets?) and insert the dynamic rule based on the observed ftp exchange. This solution would work for an ipfw gateway where the ftp server was not on the same host. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message