Date: Mon, 12 Mar 2001 19:59:42 -0800 From: Kent Stewart <kstewart@urx.com> To: David Kelly <dkelly@grumpy.dyndns.org> Cc: Tony Landells <ahl@austclear.com.au>, Magdalinin Kirill <bsdforumen@hotmail.com>, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <3AAD9B2E.E755010B@urx.com> References: <200103130349.f2D3nLe08422@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Kelly wrote: > > Tony Landells writes: > > dkelly@hiwaay.net said: > > > This is an example of where the expensive commercial firewalls shine > > > as a good one is smart enough to know ftp and see the exchange > > > specifying the expected incoming ftp data connection to open it for > > > the duration and close on completion. Seems like something that would > > > be very doable in ipfirewall with a small simple helper application. > > > Suspect that is exactly what the authors had in mind with > > > ipfirewall(4) and #include <netinet/ip_fw.h> > > > > The other option is to have something in ipfw similar to the > > "keep state" stuff but where you can can specify a template for > > the dynamic rules using variables to refer to the source and > > destination IPs (and maybe port numbers). > > That's along the lines of what I was thinking. The problem is "incoming > passive ftp". So ftpd has just told the remote client what port to > connect back for the data? If ftpd is running as root then it could > insert a dynamic state rule into ipfirewall which would disappear when > the connection is dropped. > > Rather than hack on ftpd one could write a daemon to watch all outgoing > traffic on port 21 (divert sockets?) and insert the dynamic rule based > on the observed ftp exchange. This solution would work for an ipfw > gateway where the ftp server was not on the same host. If you have a pasiv ftpd setup, how do you control what port something like a windows ftp client can use with ipfw. The range I am seeing is way beyond what is suggested and you know that people are going to blame the FreeBSD ftp server when they get the terrible response that produces. Kent > > -- > David Kelly N4HHE, dkelly@hiwaay.net > ===================================================================== > The human mind ordinarily operates at only ten percent of its > capacity -- the rest is overhead for the operating system. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AAD9B2E.E755010B>