[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: Passive FTP confusion, need help constructing rule
From: "Markus Oestreicher" <m.oe () x-trader ! de>
Date: 2001-10-26 17:28:48
[Download RAW message or body]
Hello,
> > I can see that they have got it working by rdirecting port 21
> > to the firewall and setting up translation to their internal
> > (192.168...) net. In my case I don't need address translation
> > because all address are officially routed on the internet.
> >
> > In my opinion I need a filter, that watches for outgoing packets
> > with "PASV" in it and creates a temporarily rule to allow the
> > data connection to be established. Is that correct?
>
> There isn't currently a way to do dynamic rule processing for
> passive mode in
> IP Filter. You have to open an inbound range to your public IP,
> and set your
> FTP server to use that range for passive ports. This is safe as
> long as you
> make sure nothing else listens in that range. Consider setting
> your ephemeral
> port range not to overlap with it as well.
As mentiones earlier the FTPd used on the servers behind the
firewall are not able to restrict to a specific range of ports
and so I would have to open 1024 <> 65535 to make this work. :-(
Is it difficult to extent IPFilter to do the check mentioned
above? I am not very experienced in C, but a few hacks are no
problem.
bye
Markus Oestreicher
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic