ftp, pf, passive ftp and fetch

Dave dmehler26 at woh.rr.com
Fri May 18 19:34:23 UTC 2007 

Hi Greg,
    Thanks for your informative reply. You've convince me i'm going passive, 
that sentence it's less of a PITA i think did it. Right now ftp is proving 
to be just that, it's flakey some machines are fine with it, one windows 
box, xpsp2 and ie6 works fine, another same config can't resolve the ftp 
sites. And i guess i just won't use the ftp commandline option, i don't like 
it anyway i'm spoiled on ncftp.
    I've got pftpx going on the router, and have pf set up with the 
appropriate anchors, but clients are as i said flakey, one works fine, some 
work intermitantly and some don't work at all. It is perplexing.
Thanks.
Dave.

----- Original Message ----- 
From: "Greg Hennessy" <Greg.Hennessy at nviz.net>
To: "'Dave'" <dmehler26 at woh.rr.com>; <freebsd-pf at freebsd.org>
Sent: Friday, May 18, 2007 3:04 AM
Subject: RE: ftp, pf, passive ftp and fetch


>> Hi,
>>     I'm trying to get ftp working from behind a pf firewall. I'm using
>> pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of 
>> my
>> windows boxes goes passive and dies on active.
>
> Command line FTP client in windows is active only.
>
>> I've got three questions. First,
>> portupgrade uses fetch for retrieval correct, if so i want it to use
>> the -p (passive option) by default whenever it tries an ftp url.
>
> gw2:~ # set | grep -i ftp
> FTP_PASSIVE_MODE=1
>
>> Second, ncftp i'd like to specify that it should use passive mode
> connections
>> by default as well.
>
> gw2:~ # grep -i passive .ncftp/prefs_v3
> passive=on
>
>
>> Last, is active or passive ftp better in terms of security
>> strictly from a firewall perspective, i know the protocol isn't secure?
>
> Passive is less of a PITA, (that's not saying much).
> One doesn't have to handle ingress traffic initiated from the server.
>
> However one either has to leave high ports open or use a L7 proxy to
> dynamically open
> the firewall for each request, hence pftpx.
>
>> If active ftp is better than passive does anyone have a ruleset with it?
>> I'm using a  block by default ruleset.
>
> I haven't used active FTP for years TBH. I have had serious arguments with
> vendors and suppliers who tried to insist on its use through environments 
> I
> have had responsibility for.
>
>
>
> Greg
>
>
>
>
>> Thanks.
>> Dave.
>>
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list