restrictive ipfw ruleset and ftp
bsd at perimeter.co.za
bsd at perimeter.co.za
Tue Jun 17 05:36:57 PDT 2003
Andrew Thomson writes:
> any suggestions would be great.
>
> i have a restrictive ipfw ruleset that works great.. it only allows
> incoming connections that i allow and outgoing connections allow. i have
> a list of ports that i let my users go out on: 80, 22, 143, 443 etc
> etc..
>
> All the stuff they might need to do.
>
> how can i handle passive ftp though?
>
> i can let 21 out, but when the remote ftp server says use this x high
> port.. i block that because it's not in my list. so what can i do to get
> around this.
>
> not totally familiar with it, but is this what fw_punch is for within
> nat??
>
Personally, I have a pair of rules something similar to the following:
ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535
setup in via ${iif}
ipfw add {n} allow tcp from ${inet}:${imask} 1024-65535 to any 1024-65535
setup out via ${oif}
This is quite wide, but ensures that only outbound connections on the high
port numbers are permitted, both on the source and the destination ends of
the connection.
Perhaps some real experts will give you a more definitive answer...
Patrick.
More information about the freebsd-questions
mailing list