ftp, cvsup, etc...
Andrew Seguin
asegu at borgtech.ca
Mon Feb 14 01:05:34 PST 2005
> -----Original Message-----
> From: Giulio Ferro
> Subject: ftp, cvsup, etc...
>
> Hassn't anybody thought yet of a way to manage thoso protocols which
> dynamically open more passive connections when the the first connection
> is established, like ftp or cvsup.
> Now you are forced to keep high ports open (let's say 20000-65535) to
> allow for dynamic connections, but I think that is a less than optimal
> solution.
> I would be great if ipfw actually "understood" those protocols and open up
> ports as need requires.
I'm far from an expert, so I don't really know about any solution to this. I
agree that it would be "nice" but at same time, would it be possible? IPFW
works at layers 2/3 correct? And for this, it would require something like
layer 7 protocol analysis? That seems like something that would require a
greater amount of work for ipfw.
>
> A linked question is: doesn't anybody else think that protocol inspection
> would be a very desirable feature in ipfw? Maybe together with a virus
> scan for client-side code (activex, plugin, applet, etc...)
Maybe what is needed rather is a separate daemon running, and then in IPFW
one could add a divert rule to this application layer firewall after initial
filtering, somewhat like natd? I would be quite interested in such a
feature/program if anybody knows of one which is free.
Andrew
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
More information about the freebsd-ipfw
mailing list