> > One pragmatic solution is to adjust the range of random tcp ports > chosen to a fairly narrow one, and then allow the setup from any to > that port range. > > The real answer is to get rid of ftp, and use something better. For > replacing anonymous ftp, http works just as well. scp, sftp or https > with passwords will do fine for restricting users and ensuring file > integrity.
Another solution is a daemon that could track the control planes of some specific applicatoins on a divert socket such as ftp, h323, ... then that add a dynamic rule about the new TCP/UDP sessions. It is like natd however without the NAT features. The performace would remain good because this daemon would work only on the control plane. The data plane would remain within the kernel and if they match the "dynamic" firewall rules, they are just forwarded or dropped by the kernel. It would be session tracking firewall ;-) Vincent > > On Mon, Dec 09, 2002 at 04:42:11PM -0500, Peter Brezny wrote: > > Yes but then you run into: > > DYNAMIC RULES > > In order to protect a site from flood attacks involving fake TCP > > packets, > > it is safer to use dynamic rules: > > > > ipfw add check-state > > ipfw add deny tcp from any to any established > > > > And also, if you've got an: > > add allow all from any to any established > > > > arn't you sort of setting yourself up. Couldn't someone establish a > > valid connection to a valid port, then, have a field day? > > > > TIA > > > > Peter Brezny > > Skyrunner.net > > > > > > -----Original Message----- > > From: Orville R. Weyrich_Jr [mailto:[EMAIL PROTECTED]] > > Sent: Monday, December 09, 2002 4:55 PM > > To: Peter Brezny > > Cc: [EMAIL PROTECTED] > > Subject: Re: passive mode ftp server, need stateful ipfw rule. > > > > > > Isn't that what ESTABLISHED is used for? > > > > On Mon, 9 Dec 2002, Peter Brezny wrote: > > > Is it possible to create an ipfw ruleset for an ftp server in passive > > > mode that figures out which random port the ftp server is going to open > > > to only allow the client that initiated the connection to connect to > > > that port? > > > > > > > > > Since the client initiates it's data connection from a random port to > > > the new random data port on the passive mode server, i've so far not > > > been able to come up with decent firewall rules to protect this type of > > > system. > > > > > > TIA, > > > > > > > > > Peter Brezny > > > Skyrunner.net > > > > > > > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > > with "unsubscribe freebsd-net" in the body of the message > > > > ------------------------------------------------------------------------- > >--- --- > > Orville R. Weyrich, Jr PhD. KD7HJV > > mailto:[EMAIL PROTECTED] > > ------------------------------------------------------------------------- > >--- --- > > > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
