Yes but then you run into:
DYNAMIC RULES
In order to protect a site from flood attacks involving fake TCP
packets,
it is safer to use dynamic rules:
ipfw add check-state
ipfw add deny tcp from any to any established
And also, if you've got an:
add allow all from any to any established
arn't you sort of setting yourself up. Couldn't someone establish a valid
connection to a valid port, then, have a field day?
TIA
Peter Brezny
Skyrunner.net
-----Original Message-----
From: Orville R. Weyrich_Jr [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 09, 2002 4:55 PM
To: Peter Brezny
Cc: [EMAIL PROTECTED]
Subject: Re: passive mode ftp server, need stateful ipfw rule.
Isn't that what ESTABLISHED is used for?
On Mon, 9 Dec 2002, Peter Brezny wrote:
> Is it possible to create an ipfw ruleset for an ftp server in passive mode
> that figures out which random port the ftp server is going to open to only
> allow the client that initiated the connection to connect to that port?
>
>
> Since the client initiates it's data connection from a random port to the
> new random data port on the passive mode server, i've so far not been able
> to come up with decent firewall rules to protect this type of system.
>
> TIA,
>
>
> Peter Brezny
> Skyrunner.net
>
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
>
----------------------------------------------------------------------------
---
Orville R. Weyrich, Jr PhD. KD7HJV
mailto:[EMAIL PROTECTED]
----------------------------------------------------------------------------
---
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
