Read man info carefully. The fw_punch IPFW command opens up more
things than just FTP.  There is no way just to active FTP part. The
other things become a security problem.  The fw_punch command is a
very poorly designed command and should have never been allowed into
IPFW as it currently is. User be ware.   Best solution is to make
and publish to all users of your environment that passive FTP is
only FTP method allowed to be used per security, and be done with
it.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bill Moran
Sent: Tuesday, June 17, 2003 9:08 AM
To: Andrew Thomson
Cc: [EMAIL PROTECTED]
Subject: Re: restrictive ipfw ruleset and ftp

Andrew Thomson wrote:
> any suggestions would be great.
>
> i have a restrictive ipfw ruleset that works great.. it only
allows
> incoming connections that i allow and outgoing connections allow.
i have
> a list of ports that i let my users go out on: 80, 22, 143, 443
etc
> etc..
>
> All the stuff they might need to do.
>
> how can i handle passive ftp though?
>
> i can let 21 out, but when the remote ftp server says use this x
high
> port.. i block that because it's not in my list. so what can i do
to get
> around this..
>
> not totally familiar with it, but is this what fw_punch is for
within
> nat??

That's what it's designed for.  I've never used it so I can't verify
how
well it works.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to