Date: Mon, 14 Feb 2005 10:05:34 +0100 From: "Andrew Seguin" <asegu@borgtech.ca> To: <freebsd-ipfw@freebsd.org> Cc: 'Giulio Ferro' <auryn@zirakzigil.org> Subject: RE: ftp, cvsup, etc... Message-ID: <20050214091207.1F67954AB@borgtech.ca> In-Reply-To: <42105E0F.30204@zirakzigil.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Giulio Ferro > Subject: ftp, cvsup, etc... > > Hassn't anybody thought yet of a way to manage thoso protocols which > dynamically open more passive connections when the the first connection > is established, like ftp or cvsup. > Now you are forced to keep high ports open (let's say 20000-65535) to > allow for dynamic connections, but I think that is a less than optimal > solution. > I would be great if ipfw actually "understood" those protocols and open up > ports as need requires. I'm far from an expert, so I don't really know about any solution to this. I agree that it would be "nice" but at same time, would it be possible? IPFW works at layers 2/3 correct? And for this, it would require something like layer 7 protocol analysis? That seems like something that would require a greater amount of work for ipfw. > > A linked question is: doesn't anybody else think that protocol inspection > would be a very desirable feature in ipfw? Maybe together with a virus > scan for client-side code (activex, plugin, applet, etc...) Maybe what is needed rather is a separate daemon running, and then in IPFW one could add a divert rule to this application layer firewall after initial filtering, somewhat like natd? I would be quite interested in such a feature/program if anybody knows of one which is free. Andrew -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050214091207.1F67954AB>