Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.netspace.net.au!news.mel.connect.com.au!news.syd.connect.com.au!news.bri.connect.com.au!fjholden.OntheNet.com.au!corolla.OntheNet.com.au!not-for-mail From: Tony Griffiths <tonyg@OntheNet.com.au> Newsgroups: comp.security.firewalls,comp.unix.admin,comp.security.unix,comp.unix.bsd.freebsd.misc Subject: Re: ipfw question Date: Tue, 29 Apr 1997 16:52:18 +1000 Organization: On the Net (ISP on the Gold Coast, Australia) Lines: 25 Message-ID: <33659AA2.3ADE@OntheNet.com.au> References: <336270A6.1323@intervista.com> Reply-To: tonyg@OntheNet.com.au NNTP-Posting-Host: swanee.nt.com.au Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.0 (WinNT; I) To: dwlewis@intervista.com Xref: euryale.cc.adfa.oz.au comp.security.firewalls:7482 comp.unix.admin:57484 comp.security.unix:34108 comp.unix.bsd.freebsd.misc:39894 David Lewis wrote: > > How do I include a rule that will allow the above establishment without > permiting every damn packet through? You don't!!! > Normally the first outgoing rule > (405 above) combined with the established rule (460 above) would allow > connections through that were established from behind the firewall. In > this case, however, the remote machine is opening a NEW connection which > I am denying. > > BTW, this is NOT a problem for incoming ftp because I'm explicitly > allowing port 21 (the ftp port) into the target machines, and the > outgoing rule (405 above) is laready in place. Basically, if you open up the reverse connection then you are compromising your firewall. As another reply specified, you need to inform all ftp users to use "passive" mode transfers. Apart for the -p switch, there is also a "passive" command. Tony