Date: Fri, 13 Apr 2001 00:00:40 +0200 (CEST) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: Kirk Strauser <kirk@strauser.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Beating a dead horse - ipfw and FTP Message-ID: <200104122200.AAA75489@info.iet.unipi.it> In-Reply-To: <87bsq1hjc5.fsf@pooh.honeypot> from Kirk Strauser at "Apr 12, 2001 04:57:46 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > At 2001-04-12T19:16:23Z, Luigi Rizzo <luigi@info.iet.unipi.it> writes: > > > we have stateful ipfw and passive ftp -- the combination of the two should > > give you the protection that you want. Am i wrong ? > > Unfortunately, yes. The annoying part is that there is no way to tell what > port the FTP server will want you to connect to ahead of time: > > 1. Connect from client to server port 21 > 2. Ask the server what port to connect to for data transmission > 3. Connect from client port 20 to the specified port on the server so set a dynamic rule on the server which lets in connections from port 20 on the client side. cheers luigi > The old style was even worse: > > 1. Connect from client to server port 21 > 2. Connect from server to client port 20 > > So, there's no way to know what port to open (for step 3 of the first > listing) in advance. > -- > Kirk Strauser > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104122200.AAA75489>