Yes but then you run into: DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules:
ipfw add check-state ipfw add deny tcp from any to any established And also, if you've got an: add allow all from any to any established arn't you sort of setting yourself up. Couldn't someone establish a valid connection to a valid port, then, have a field day? TIA Peter Brezny Skyrunner.net -----Original Message----- From: Orville R. Weyrich_Jr [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 4:55 PM To: Peter Brezny Cc: [EMAIL PROTECTED] Subject: Re: passive mode ftp server, need stateful ipfw rule. Isn't that what ESTABLISHED is used for? On Mon, 9 Dec 2002, Peter Brezny wrote: > Is it possible to create an ipfw ruleset for an ftp server in passive mode > that figures out which random port the ftp server is going to open to only > allow the client that initiated the connection to connect to that port? > > > Since the client initiates it's data connection from a random port to the > new random data port on the passive mode server, i've so far not been able > to come up with decent firewall rules to protect this type of system. > > TIA, > > > Peter Brezny > Skyrunner.net > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > ---------------------------------------------------------------------------- --- Orville R. Weyrich, Jr PhD. KD7HJV mailto:[EMAIL PROTECTED] ---------------------------------------------------------------------------- --- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message