> I'm trying to get ftp working from behind a pf firewall. I'm using pftpx > on FreeBSD 6.2 for this. I believe i have passive working, one of my windows > boxes goes passive and dies on active. I've got three questions. First, > portupgrade uses fetch for retrieval correct, if so i want it to use the -p > (passive option) by default whenever it tries an ftp url. Second, ncftp i'd > like to specify that it should use passive mode connections by default as > well. Last, is active or passive ftp better in terms of security strictly > from a firewall perspective, i know the protocol isn't secure? If active ftp > is better than passive does anyone have a ruleset with it? I'm using a block > by default ruleset.
Dave, Greg already gave you some good answers, which I will not repeat. The question about passive / active being more secure is non-sense. I'm still using ftp-proxy and I think it should be easily (and clever) possible to drive active ftp through pf. As ftp-proxy is running as user 'proxy', I'm using a rule similar like: pass in log quick on $ext_if from any to ($ext_if) user "proxy" flags "S/SA" keep state in my ruleset (just made it that way last week). I still haven't checked active ftp out but I think this will also work for active ftp connections. You just need to also pass traffic in on $int_if for port 8021 (or whatever port your ftp proxy is listening on) and traffic out on $ext_if to port 21. HTH Volker _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
