>
> Below is the ipf script which works for all protocols tested. If I take
> out the first rule in 'Output rules to Internet' (pass out quick on fxp1
> proto tcp from 1.2.3.4 to any flags S keep state keep frags), FTP does
> not work. I would think "pass out quick on fxp1 proto tcp from 1.2.3.4
> to any port = 21 flags S keep state keep frags" would take care of
> passive ftp but it doesn't seem to be working.
With passive mode FTP, the client attempts to open a second TCP
connection to the server to function as the data channel. If
you want to support passive FTP, then you'll have to configure
your packet filter to allow those connections. The man page for
FreeBSD's 'ftpd' indicates that, by default, the server uses
the ports 49152..65535 for passive connections. So you'll need
a rule something like
pass in quick on <your interface> proto tcp from any to \
<your address> port 49151 >< 65536 flags S keep state
David S.
>
