restrictive ipfw ruleset and ftp
FBSD_User at a1poweruser.com
Tue Jun 17 06:54:20 PDT 2003
Read man info carefully. The fw_punch IPFW command opens up more
things than just FTP. There is no way just to active FTP part. The
other things become a security problem. The fw_punch command is a
very poorly designed command and should have never been allowed into
IPFW as it currently is. User be ware. Best solution is to make
and publish to all users of your environment that passive FTP is
only FTP method allowed to be used per security, and be done with
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Bill Moran
Sent: Tuesday, June 17, 2003 9:08 AM
To: Andrew Thomson
Cc: freebsd-questions at freebsd.org
Subject: Re: restrictive ipfw ruleset and ftp
Andrew Thomson wrote:
> any suggestions would be great.
> i have a restrictive ipfw ruleset that works great.. it only
> incoming connections that i allow and outgoing connections allow.
> a list of ports that i let my users go out on: 80, 22, 143, 443
> All the stuff they might need to do.
> how can i handle passive ftp though?
> i can let 21 out, but when the remote ftp server says use this x
> port.. i block that because it's not in my list. so what can i do
> around this..
> not totally familiar with it, but is this what fw_punch is for
That's what it's designed for. I've never used it so I can't verify
well it works.
freebsd-questions at freebsd.org mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions