any suggestions would be great.
i have a restrictive ipfw ruleset that works great.. it only allows
incoming connections that i allow and outgoing connections allow. i have
a list of ports that i let my users go out on: 80, 22, 143, 443 etc
etc..
All the stuff they might need to do.
how can i handle passive ftp though?
i can let 21 out, but when the remote ftp server says use this x high
port.. i block that because it's not in my list. so what can i do to get
around this.
not totally familiar with it, but is this what fw_punch is for within
nat??
Personally, I have a pair of rules something similar to the following:
ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535 setup in via ${iif}
ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535 setup out via ${oif}
This is quite wide, but ensures that only outbound connections on the high port numbers are permitted, both on the source and the destination ends of the connection.
Perhaps some real experts will give you a more definitive answer...
Patrick. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
