[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Passive FTP confusion, need help constructing rule
From:       "Markus Oestreicher" <m.oe () x-trader ! de>
Date:       2001-10-26 17:28:48
[Download RAW message or body]

Hello,

> > I can see that they have got it working by rdirecting port 21
> > to the firewall and setting up translation to their internal
> > (192.168...) net. In my case I don't need address translation
> > because all address are officially routed on the internet.
> >
> > In my opinion I need a filter, that watches for outgoing packets
> > with "PASV" in it and creates a temporarily rule to allow the
> > data connection to be established. Is that correct?
>
> There isn't currently a way to do dynamic rule processing for
> passive mode in
> IP Filter. You have to open an inbound range to your public IP,
> and set your
> FTP server to use that range for passive ports. This is safe as
> long as you
> make sure nothing else listens in that range. Consider setting
> your ephemeral
> port range not to overlap with it as well.

As mentiones earlier the FTPd used on the servers behind the
firewall are not able to restrict to a specific range of ports
and so I would have to open 1024 <> 65535 to make this work. :-(

Is it difficult to extent IPFilter to do the check mentioned
above? I am not very experienced in C, but a few hacks are no
problem.

bye
Markus Oestreicher

[prev in list] [next in list] [prev in thread] [next in thread]