restrictive ipfw ruleset and ftp

FBSD_User FBSD_User at
Tue Jun 17 06:54:20 PDT 2003

Read man info carefully. The fw_punch IPFW command opens up more
things than just FTP.  There is no way just to active FTP part. The
other things become a security problem.  The fw_punch command is a
very poorly designed command and should have never been allowed into
IPFW as it currently is. User be ware.   Best solution is to make
and publish to all users of your environment that passive FTP is
only FTP method allowed to be used per security, and be done with

-----Original Message-----
From: owner-freebsd-questions at
[mailto:owner-freebsd-questions at]On Behalf Of Bill Moran
Sent: Tuesday, June 17, 2003 9:08 AM
To: Andrew Thomson
Cc: freebsd-questions at
Subject: Re: restrictive ipfw ruleset and ftp

Andrew Thomson wrote:
> any suggestions would be great.
> i have a restrictive ipfw ruleset that works great.. it only
> incoming connections that i allow and outgoing connections allow.
i have
> a list of ports that i let my users go out on: 80, 22, 143, 443
> etc..
> All the stuff they might need to do.
> how can i handle passive ftp though?
> i can let 21 out, but when the remote ftp server says use this x
> port.. i block that because it's not in my list. so what can i do
to get
> around this..
> not totally familiar with it, but is this what fw_punch is for
> nat??

That's what it's designed for.  I've never used it so I can't verify
well it works.

Bill Moran
Potential Technologies

freebsd-questions at mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list