*BSD News Article 94628


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.netspace.net.au!news.mel.connect.com.au!news.syd.connect.com.au!news.bri.connect.com.au!fjholden.OntheNet.com.au!corolla.OntheNet.com.au!not-for-mail
From: Tony Griffiths <tonyg@OntheNet.com.au>
Newsgroups: comp.security.firewalls,comp.unix.admin,comp.security.unix,comp.unix.bsd.freebsd.misc
Subject: Re: ipfw question
Date: Tue, 29 Apr 1997 16:52:18 +1000
Organization: On the Net (ISP on the Gold Coast, Australia)
Lines: 25
Message-ID: <33659AA2.3ADE@OntheNet.com.au>
References: <336270A6.1323@intervista.com>
Reply-To: tonyg@OntheNet.com.au
NNTP-Posting-Host: swanee.nt.com.au
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.0 (WinNT; I)
To: dwlewis@intervista.com
Xref: euryale.cc.adfa.oz.au comp.security.firewalls:7482 comp.unix.admin:57484 comp.security.unix:34108 comp.unix.bsd.freebsd.misc:39894

David Lewis wrote:
> 
> How do I include a rule that will allow the above establishment without
> permiting every damn packet through?

You don't!!!

>  Normally the first outgoing rule
> (405 above) combined with the established rule (460 above) would allow
> connections through that were established from behind the firewall.  In
> this case, however, the remote machine is opening a NEW connection which
> I am denying.
> 
> BTW, this is NOT a problem for incoming ftp because I'm explicitly
> allowing port 21 (the ftp port) into the target machines, and the
> outgoing rule (405 above) is laready in place.

Basically, if you open up the reverse connection then you are
compromising your firewall.

As another reply specified, you need to inform all ftp users to use
"passive" mode transfers.  Apart for the -p switch, there is also a
"passive" command.

Tony